Trusted tunnel bridge

ABSTRACT

Various embodiments of the present application set forth a computer-implemented method that includes receiving, by a trusted tunnel bridge and from a first application executing in a first network, a first encrypted data packet, where the first encrypted data packet includes an encrypted portion of data, and a destination device identifier (DDI). The method further includes determining, by the trusted tunnel bridge, a particular device in a second network and associated with the DDI included in the first encrypted data packet. The method further includes sending, by the trusted tunnel bridge directly to the particular device, the first encrypted data packet.

BACKGROUND Field of the Embodiments

The present invention relates generally to computer networks, and morespecifically, to a trusted tunnel bridge.

Description of the Related Art

In modern corporate environments, various devices are implemented topresent data relating to the metrics of performance of other machineswithin the corporate environment. The performance metrics may relate tovarious aspects of the status and/or performance of a single machine orof a larger operating environment. Such performance metrics may include,for example, central processing unit (CPU) utilization, memoryutilization, disk storage utilization, and operating temperature.

An information technology (IT) specialist, or other profession, maymonitor these metrics via a display on a device that receives theperformance metrics. By monitoring the appropriate performance metricsfor each machine, the IT specialist may determine which machines areoperating normally. Likewise, the IT specialist may determine that oneor more metrics are outside the normal operating range for thecorresponding machine.

One drawback with the approach set forth above is that the device thatdisplays the performance metrics may be separated by a firewall from theone or more applications that compute the performance metrics. As aresult, the network that includes the firewall is required to open aport through the firewall to enable communications between the deviceand the application. Because certain networks do not allow ports throughthe firewall to be open, the device cannot communicate with theapplication and, as a result, cannot receive the performance metrics dueto the metrics being blocked by the firewall.

As the foregoing illustrates, what is needed in the art is an efficientway for devices to communicate through a network firewall.

SUMMARY

A trusted tunnel bridge service establishes a WebSocket connection witha destination device within a computer network that is protected by afirewall. During operation, the trusted tunnel bridge receives encrypteddata packets from a source application that is located within adifferent computer network. The encrypted data packet includes payloaddata and an identifier associated with the destination device. Uponreceiving the encrypted data packet, the trusted tunnel bridgeidentifies the destination device based on information included in theencrypted data packet. In order to identify the destination device, thetrusted tunnel bridge scans entries of a routing/forwarding table, usingthe identifier as a search key. Upon locating a matching entry andidentifying the destination device, the trusted tunnel bridge sends theencrypted data packet to the destination device via the WebSocketconnection.

Various embodiments of the present application set forth acomputer-implemented method that includes receiving, by a trusted tunnelbridge and from a first application executing in a first network, afirst encrypted data packet, where the first encrypted data packetincludes an encrypted portion of data, and a destination deviceidentifier (DDI). The method further includes determining, by thetrusted tunnel bridge, a particular device in a second network andassociated with the DDI included in the first encrypted data packet. Themethod further includes sending, by the trusted tunnel bridge directlyto the particular device, the first encrypted data packet.

Other embodiments of the present invention include, without limitation,a computer-readable medium including instructions for performing one ormore aspects of the disclosed techniques, as well as a computing devicefor performing one or more aspects of the disclosed techniques.

At least one advantage of the disclosed techniques is that a device isable to receive data from an application in a different network withoutneeding an open port through a firewall within one of the networks. As aresult, the device is able to receive data relating to the performancemetrics of machines as computed by applications located in a differentnetwork. In addition, the system components located in differentnetworks are able to send E2EE communications because the trusted tunnelbridge service does not need to decrypt messages when determining theintended recipient of a message.

BRIEF DESCRIPTION OF THE DRAWINGS

So that the manner in which the above recited features of the variousembodiments can be understood in detail, a more particular descriptionof the inventive concepts, briefly summarized above, may be had byreference to various embodiments, some of which are illustrated in theappended drawings. It is to be noted, however, that the appendeddrawings illustrate only typical embodiments of the inventive conceptsand are therefore not to be considered limiting of scope in any way, andthat there are other equally effective embodiments.

FIG. 1 is a block diagram of an example networked computer environment,in accordance with example embodiments;

FIG. 2 is a block diagram of an example data intake and query system, inaccordance with example embodiments;

FIG. 3 is a block diagram of an example cloud-based data intake andquery system, in accordance with example embodiments;

FIG. 4 is a block diagram of an example data intake and query systemthat performs searches across external data systems, in accordance withexample embodiments;

FIG. 5A is a flowchart of an example method that illustrates howindexers process, index, and store data received from forwarders, inaccordance with example embodiments;

FIG. 5B is a block diagram of a data structure in which time-stampedevent data can be stored in a data store, in accordance with exampleembodiments;

FIG. 5C provides a visual representation of the manner in which apipelined search language or query operates, in accordance with exampleembodiments;

FIG. 6A is a flow diagram of an example method that illustrates how asearch head and indexers perform a search query, in accordance withexample embodiments;

FIG. 6B provides a visual representation of an example manner in which apipelined command language or query operates, in accordance with exampleembodiments;

FIG. 7A is a diagram of an example scenario where a common customeridentifier is found among log data received from three disparate datasources, in accordance with example embodiments;

FIG. 7B illustrates an example of processing keyword searches and fieldsearches, in accordance with disclosed embodiments;

FIG. 7C illustrates an example of creating and using an inverted index,in accordance with example embodiments;

FIG. 7D depicts a flowchart of example use of an inverted index in apipelined search query, in accordance with example embodiments;

FIG. 8A is an interface diagram of an example user interface for asearch screen, in accordance with example embodiments;

FIG. 8B is an interface diagram of an example user interface for a datasummary dialog that enables a user to select various data sources, inaccordance with example embodiments;

FIGS. 9-15 are interface diagrams of example report generation userinterfaces, in accordance with example embodiments;

FIG. 16 is an example search query received from a client and executedby search peers, in accordance with example embodiments;

FIG. 17A is an interface diagram of an example user interface of a keyindicators view, in accordance with example embodiments;

FIG. 17B is an interface diagram of an example user interface of anincident review dashboard, in accordance with example embodiments;

FIG. 17C is a tree diagram of an example a proactive monitoring tree, inaccordance with example embodiments;

FIG. 17D is an interface diagram of an example a user interfacedisplaying both log data and performance data, in accordance withexample embodiments;

FIG. 18A illustrates a more detailed view of the example system of FIG.4, in accordance with example embodiments;

FIG. 18B illustrates a network architecture that enables securecommunications between extended reality application and an on-premisesenvironment for data intake and query system, in accordance with exampleembodiments;

FIG. 19 is a block diagram of another example networked computerenvironment, in accordance with example embodiments;

FIG. 20 illustrates a more detailed view of the example networkedcomputer environment, in accordance with example environments;

FIG. 21 illustrates a call flow diagram between various components ofthe example networked computing environment, in accordance with exampleembodiments;

FIG. 22 illustrates another call flow diagram between various componentsof the example networked computing environment, in accordance withexample embodiments;

FIG. 23 sets forth a flow diagram of method steps for sending anencrypted data packet to a destination device, in accordance withexample embodiments.

DETAILED DESCRIPTION

In the following description, numerous specific details are set forth toprovide a more thorough understanding of the various embodiments.However, it will be apparent to one of skilled in the art that theinventive concepts may be practiced without one or more of thesespecific details.

Embodiments are described herein according to the following outline:

1. General Overview

2. Operating Environment

2.1. Host Devices

2.2. Client Devices

2.3. Client Device Applications

2.4. Data Server System

2.5. Cloud-Based System Overview

2.6. Searching Externally-Archived Data

-   -   2.6.1. ERP Process Features

2.7. DATA INGESTION

-   -   2.7.1. Input    -   2.7.2. Parsing    -   2.7.3. Indexing

2.8. Query Processing

2.9. Pipelined Search Language

2.10. Field Extraction

2.11. Example Search Screen

2.12. DATA MODELS

2.13. Acceleration Technique

-   -   2.13.1. Aggregation Technique    -   2.13.2. Keyword Index    -   2.13.3. High Performance Analytics Store    -   2.13.4. Extracting Event Data Using Posting Values    -   2.13.5. Accelerating Report Generation

2.14. DATA CENTER MONITORING

3. Extended Reality Overlays In An Industrial Environment

3.1. Optical Data Marker-Based Extended Reality Techniques

4. Trusted Tunnel Bridge Service

4.1. Trusted Tunnel Bridge Service System

4.2. Trusted Tunnel Bridge Service Techniques

1. General Overview

Modern data centers and other computing environments can compriseanywhere from a few host computer systems to thousands of systemsconfigured to process data, service requests from remote clients, andperform numerous other computational tasks. During operation, variouscomponents within these computing environments often generatesignificant volumes of machine data. Machine data is any data producedby a machine or component in an information technology (IT) environmentand that reflects activity in the IT environment. For example, machinedata can be raw machine data that is generated by various components inIT environments, such as servers, sensors, routers, mobile devices,Internet of Things (IoT) devices, etc. Machine data can include systemlogs, network packet data, sensor data, application program data, errorlogs, stack traces, system performance data, etc. In general, machinedata can also include performance data, diagnostic information, and manyother types of data that can be analyzed to diagnose performanceproblems, monitor user interactions, and to derive other insights.

A number of tools are available to analyze machine data. In order toreduce the size of the potentially vast amount of machine data that maybe generated, many of these tools typically pre-process the data basedon anticipated data-analysis needs. For example, pre-specified dataitems may be extracted from the machine data and stored in a database tofacilitate efficient retrieval and analysis of those data items atsearch time. However, the rest of the machine data typically is notsaved and is discarded during pre-processing. As storage capacitybecomes progressively cheaper and more plentiful, there are fewerincentives to discard these portions of machine data and many reasons toretain more of the data.

This plentiful storage capacity is presently making it feasible to storemassive quantities of minimally processed machine data for laterretrieval and analysis. In general, storing minimally processed machinedata and performing analysis operations at search time can providegreater flexibility because it enables an analyst to search all of themachine data, instead of searching only a pre-specified set of dataitems. This may enable an analyst to investigate different aspects ofthe machine data that previously were unavailable for analysis.

However, analyzing and searching massive quantities of machine datapresents a number of challenges. For example, a data center, servers, ornetwork appliances may generate many different types and formats ofmachine data (e.g., system logs, network packet data (e.g., wire data,etc.), sensor data, application program data, error logs, stack traces,system performance data, operating system data, virtualization data,etc.) from thousands of different components, which can collectively bevery time-consuming to analyze. In another example, mobile devices maygenerate large amounts of information relating to data accesses,application performance, operating system performance, networkperformance, etc. There can be millions of mobile devices that reportthese types of information.

These challenges can be addressed by using an event-based data intakeand query system, such as the SPLUNK® ENTERPRISE system developed bySplunk Inc. of San Francisco, Calif. The SPLUNK® ENTERPRISE system isthe leading platform for providing real-time operational intelligencethat enables organizations to collect, index, and search machine datafrom various websites, applications, servers, networks, and mobiledevices that power their businesses. The data intake and query system isparticularly useful for analyzing data which is commonly found in systemlog files, network data, and other data input sources. Although many ofthe techniques described herein are explained with reference to a dataintake and query system similar to the SPLUNK® ENTERPRISE system, thesetechniques are also applicable to other types of data systems.

In the data intake and query system, machine data are collected andstored as “events”. An event comprises a portion of machine data and isassociated with a specific point in time. The portion of machine datamay reflect activity in an IT environment and may be produced by acomponent of that IT environment, where the events may be searched toprovide insight into the IT environment, thereby improving theperformance of components in the IT environment. Events may be derivedfrom “time series data,” where the time series data comprises a sequenceof data points (e.g., performance measurements from a computer system,etc.) that are associated with successive points in time. In general,each event has a portion of machine data that is associated with atimestamp that is derived from the portion of machine data in the event.A timestamp of an event may be determined through interpolation betweentemporally proximate events having known timestamps or may be determinedbased on other configurable rules for associating timestamps withevents.

In some instances, machine data can have a predefined format, where dataitems with specific data formats are stored at predefined locations inthe data. For example, the machine data may include data associated withfields in a database table. In other instances, machine data may nothave a predefined format (e.g., may not be at fixed, predefinedlocations), but may have repeatable (e.g., non-random) patterns. Thismeans that some machine data can comprise various data items ofdifferent data types that may be stored at different locations withinthe data. For example, when the data source is an operating system log,an event can include one or more lines from the operating system logcontaining machine data that includes different types of performance anddiagnostic information associated with a specific point in time (e.g., atimestamp).

Examples of components which may generate machine data from which eventscan be derived include, but are not limited to, web servers, applicationservers, databases, firewalls, routers, operating systems, and softwareapplications that execute on computer systems, mobile devices, sensors,Internet of Things (IoT) devices, etc. The machine data generated bysuch data sources can include, for example and without limitation,server log files, activity log files, configuration files, messages,network packet data, performance measurements, sensor measurements, etc.

The data intake and query system uses a flexible schema to specify howto extract information from events. A flexible schema may be developedand redefined as needed. Note that a flexible schema may be applied toevents “on the fly,” when it is needed (e.g., at search time, indextime, ingestion time, etc.). When the schema is not applied to eventsuntil search time, the schema may be referred to as a “late-bindingschema.”

During operation, the data intake and query system receives machine datafrom any type and number of sources (e.g., one or more system logs,streams of network packet data, sensor data, application program data,error logs, stack traces, system performance data, etc.). The systemparses the machine data to produce events each having a portion ofmachine data associated with a timestamp. The system stores the eventsin a data store. The system enables users to run queries against thestored events to, for example, retrieve events that meet criteriaspecified in a query, such as criteria indicating certain keywords orhaving specific values in defined fields. As used herein, the term“field” refers to a location in the machine data of an event containingone or more values for a specific data item. A field may be referencedby a field name associated with the field. As will be described in moredetail herein, a field is defined by an extraction rule (e.g., a regularexpression) that derives one or more values or a sub-portion of textfrom the portion of machine data in each event to produce a value forthe field for that event. The set of values produced aresemantically-related (such as IP address), even though the machine datain each event may be in different formats (e.g., semantically-relatedvalues may be in different positions in the events derived fromdifferent sources).

As described above, the system stores the events in a data store. Theevents stored in the data store are field-searchable, wherefield-searchable herein refers to the ability to search the machine data(e.g., the raw machine data) of an event based on a field specified insearch criteria. For example, a search having criteria that specifies afield name “UserID” may cause the system to field-search the machinedata of events to identify events that have the field name “UserID.” Inanother example, a search having criteria that specifies a field name“UserID” with a corresponding field value “12345” may cause the systemto field-search the machine data of events to identify events havingthat field-value pair (e.g., field name “UserID” with a correspondingfield value of “12345”). Events are field-searchable using one or moreconfiguration files associated with the events. Each configuration fileincludes one or more field names, where each field name is associatedwith a corresponding extraction rule and a set of events to which thatextraction rule applies. The set of events to which an extraction ruleapplies may be identified by metadata associated with the set of events.For example, an extraction rule may apply to a set of events that areeach associated with a particular host, source, or source type. Whenevents are to be searched based on a particular field name specified ina search, the system uses one or more configuration files to determinewhether there is an extraction rule for that particular field name thatapplies to each event that falls within the criteria of the search. Ifso, the event is considered as part of the search results (andadditional processing may be performed on that event based on criteriaspecified in the search). If not, the next event is similarly analyzed,and so on.

As noted above, the data intake and query system utilizes a late-bindingschema while performing queries on events. One aspect of a late-bindingschema is applying extraction rules to events to extract values forspecific fields during search time. More specifically, the extractionrule for a field can include one or more instructions that specify howto extract a value for the field from an event. An extraction rule cangenerally include any type of instruction for extracting values fromevents. In some cases, an extraction rule comprises a regularexpression, where a sequence of characters form a search pattern. Anextraction rule comprising a regular expression is referred to herein asa regex rule. The system applies a regex rule to an event to extractvalues for a field associated with the regex rule, where the values areextracted by searching the event for the sequence of characters definedin the regex rule.

In the data intake and query system, a field extractor may be configuredto automatically generate extraction rules for certain fields in theevents when the events are being created, indexed, or stored, orpossibly at a later time. Alternatively, a user may manually defineextraction rules for fields using a variety of techniques. In contrastto a conventional schema for a database system, a late-binding schema isnot defined at data ingestion time. Instead, the late-binding schema canbe developed on an ongoing basis until the time a query is actuallyexecuted. This means that extraction rules for the fields specified in aquery may be provided in the query itself, or may be located duringexecution of the query. Hence, as a user learns more about the data inthe events, the user can continue to refine the late-binding schema byadding new fields, deleting fields, or modifying the field extractionrules for use the next time the schema is used by the system. Becausethe data intake and query system maintains the underlying machine dataand uses a late-binding schema for searching the machine data, itenables a user to continue investigating and learn valuable insightsabout the machine data.

In some embodiments, a common field name may be used to reference two ormore fields containing equivalent and/or similar data items, even thoughthe fields may be associated with different types of events thatpossibly have different data formats and different extraction rules. Byenabling a common field name to be used to identify equivalent and/orsimilar fields from different types of events generated by disparatedata sources, the system facilitates use of a “common information model”(CIM) across the disparate data sources (further discussed with respectto FIG. 7A).

2. Operating Environment

FIG. 1 is a block diagram of an example networked computer environment100, in accordance with example embodiments. Those skilled in the artwould understand that FIG. 1 represents one example of a networkedcomputer system and other embodiments may use different arrangements.

The networked computer system 100 comprises one or more computingdevices. These one or more computing devices comprise any combination ofhardware and software configured to implement the various logicalcomponents described herein. For example, the one or more computingdevices may include one or more memories that store instructions forimplementing the various components described herein, one or morehardware processors configured to execute the instructions stored in theone or more memories, and various data repositories in the one or morememories for storing data structures utilized and manipulated by thevarious components.

In some embodiments, one or more client devices 102 are coupled to oneor more host devices 106 and a data intake and query system 108 via oneor more networks 104. Networks 104 broadly represent one or more LANs,WANs, cellular networks (e.g., LTE, HSPA, 3G, and other cellulartechnologies), and/or networks using any of wired, wireless, terrestrialmicrowave, or satellite links, and may include the public Internet.

2.1. Host Devices

In the illustrated embodiment, a system 100 includes one or more hostdevices 106. Host devices 106 may broadly include any number ofcomputers, virtual machine instances, and/or data centers that areconfigured to host or execute one or more instances of host applications114. In general, a host device 106 may be involved, directly orindirectly, in processing requests received from client devices 102.Each host device 106 may comprise, for example, one or more of a networkdevice, a web server, an application server, a database server, etc. Acollection of host devices 106 may be configured to implement anetwork-based service. For example, a provider of a network-basedservice may configure one or more host devices 106 and host applications114 (e.g., one or more web servers, application servers, databaseservers, etc.) to collectively implement the network-based application.

In general, client devices 102 communicate with one or more hostapplications 114 to exchange information. The communication between aclient device 102 and a host application 114 may, for example, be basedon the Hypertext Transfer Protocol (HTTP) or any other network protocol.Content delivered from the host application 114 to a client device 102may include, for example, HTML documents, media content, etc. Thecommunication between a client device 102 and host application 114 mayinclude sending various requests and receiving data packets. Forexample, in general, a client device 102 or application running on aclient device may initiate communication with a host application 114 bymaking a request for a specific resource (e.g., based on an HTTPrequest), and the application server may respond with the requestedcontent stored in one or more response packets.

In the illustrated embodiment, one or more of host applications 114 maygenerate various types of performance data during operation, includingevent logs, network data, sensor data, and other types of machine data.For example, a host application 114 comprising a web server may generateone or more web server logs in which details of interactions between theweb server and any number of client devices 102 is recorded. As anotherexample, a host device 106 comprising a router may generate one or morerouter logs that record information related to network traffic managedby the router. As yet another example, a host application 114 comprisinga database server may generate one or more logs that record informationrelated to requests sent from other host applications 114 (e.g., webservers or application servers) for data managed by the database server.

2.2. Client Devices

Client devices 102 of FIG. 1 represent any computing device capable ofinteracting with one or more host devices 106 via a network 104.Examples of client devices 102 may include, without limitation,smartphones, tablet computers, handheld computers, wearable devices,laptop computers, desktop computers, servers, portable media players,gaming devices, and so forth. In general, a client device 102 canprovide access to different content, for instance, content provided byone or more host devices 106, etc. Each client device 102 may compriseone or more client applications 110, described in more detail in aseparate section hereinafter.

2.3. Client Device Applications

In some embodiments, each client device 102 may host or execute one ormore client applications 110 that are capable of interacting with one ormore host devices 106 via one or more networks 104. For instance, aclient application 110 may be or comprise a web browser that a user mayuse to navigate to one or more websites or other resources provided byone or more host devices 106. As another example, a client application110 may comprise a mobile application or “app.” For example, an operatorof a network-based service hosted by one or more host devices 106 maymake available one or more mobile apps that enable users of clientdevices 102 to access various resources of the network-based service. Asyet another example, client applications 110 may include backgroundprocesses that perform various operations without direct interactionfrom a user. A client application 110 may include a “plug-in” or“extension” to another application, such as a web browser plug-in orextension.

In some embodiments, a client application 110 may include a monitoringcomponent 112. At a high level, the monitoring component 112 comprises asoftware component or other logic that facilitates generatingperformance data related to a client device's operating state, includingmonitoring network traffic sent and received from the client device andcollecting other device and/or application-specific information.Monitoring component 112 may be an integrated component of a clientapplication 110, a plug-in, an extension, or any other type of add-oncomponent. Monitoring component 112 may also be a stand-alone process.

In some embodiments, a monitoring component 112 may be created when aclient application 110 is developed, for example, by an applicationdeveloper using a software development kit (SDK). The SDK may includecustom monitoring code that can be incorporated into the codeimplementing a client application 110. When the code is converted to anexecutable application, the custom code implementing the monitoringfunctionality can become part of the application itself.

In some embodiments, an SDK or other code for implementing themonitoring functionality may be offered by a provider of a data intakeand query system, such as a system 108. In such cases, the provider ofthe system 108 can implement the custom code so that performance datagenerated by the monitoring functionality is sent to the system 108 tofacilitate analysis of the performance data by a developer of the clientapplication or other users.

In some embodiments, the custom monitoring code may be incorporated intothe code of a client application 110 in a number of different ways, suchas the insertion of one or more lines in the client application codethat call or otherwise invoke the monitoring component 112. As such, adeveloper of a client application 110 can add one or more lines of codeinto the client application 110 to trigger the monitoring component 112at desired points during execution of the application. Code thattriggers the monitoring component may be referred to as a monitortrigger. For instance, a monitor trigger may be included at or near thebeginning of the executable code of the client application 110 such thatthe monitoring component 112 is initiated or triggered as theapplication is launched, or included at other points in the code thatcorrespond to various actions of the client application, such as sendinga network request or displaying a particular interface.

In some embodiments, the monitoring component 112 may monitor one ormore aspects of network traffic sent and/or received by a clientapplication 110. For example, the monitoring component 112 may beconfigured to monitor data packets transmitted to and/or from one ormore host applications 114. Incoming and/or outgoing data packets can beread or examined to identify network data contained within the packets,for example, and other aspects of data packets can be analyzed todetermine a number of network performance statistics. Monitoring networktraffic may enable information to be gathered particular to the networkperformance associated with a client application 110 or set ofapplications.

In some embodiments, network performance data refers to any type of datathat indicates information about the network and/or network performance.Network performance data may include, for instance, a URL requested, aconnection type (e.g., HTTP, HTTPS, etc.), a connection start time, aconnection end time, an HTTP status code, request length, responselength, request headers, response headers, connection status (e.g.,completion, response time(s), failure, etc.), and the like. Uponobtaining network performance data indicating performance of thenetwork, the network performance data can be transmitted to a dataintake and query system 108 for analysis.

Upon developing a client application 110 that incorporates a monitoringcomponent 112, the client application 110 can be distributed to clientdevices 102. Applications generally can be distributed to client devices102 in any manner, or they can be pre-loaded. In some cases, theapplication may be distributed to a client device 102 via an applicationmarketplace or other application distribution system. For instance, anapplication marketplace or other application distribution system mightdistribute the application to a client device based on a request fromthe client device to download the application.

Examples of functionality that enables monitoring performance of aclient device are described in U.S. patent application Ser. No.14/524,748, entitled “UTILIZING PACKET HEADERS TO MONITOR NETWORKTRAFFIC IN ASSOCIATION WITH A CLIENT DEVICE”, filed on 27 Oct. 2014, andwhich is hereby incorporated by reference in its entirety for allpurposes.

In some embodiments, the monitoring component 112 may also monitor andcollect performance data related to one or more aspects of theoperational state of a client application 110 and/or client device 102.For example, a monitoring component 112 may be configured to collectdevice performance information by monitoring one or more client deviceoperations, or by making calls to an operating system and/or one or moreother applications executing on a client device 102 for performanceinformation. Device performance information may include, for instance, acurrent wireless signal strength of the device, a current connectiontype and network carrier, current memory performance information, ageographic location of the device, a device orientation, and any otherinformation related to the operational state of the client device.

In some embodiments, the monitoring component 112 may also monitor andcollect other device profile information including, for example, a typeof client device, a manufacturer and model of the device, versions ofvarious software applications installed on the device, and so forth.

In general, a monitoring component 112 may be configured to generateperformance data in response to a monitor trigger in the code of aclient application 110 or other triggering application event, asdescribed above, and to store the performance data in one or more datarecords. Each data record, for example, may include a collection offield-value pairs, each field-value pair storing a particular item ofperformance data in association with a field for the item. For example,a data record generated by a monitoring component 112 may include a“networkLatency” field (not shown in FIG. 1) in which a value is stored.This field indicates a network latency measurement associated with oneor more network requests. The data record may include a “state” field tostore a value indicating a state of a network connection, and so forthfor any number of aspects of collected performance data.

2.4. Data Server System

FIG. 2 is a block diagram of an example data intake and query system108, in accordance with example embodiments. System 108 includes one ormore forwarders 204 that receive data from a variety of input datasources 202, and one or more indexers 206 that process and store thedata in one or more data stores 208. These forwarders 204 and indexers208 can comprise separate computer systems, or may alternativelycomprise separate processes executing on one or more computer systems.

Each data source 202 broadly represents a distinct source of data thatcan be consumed by system 108. Examples of data sources 202 include,without limitation, data files, directories of files, data sent over anetwork, event logs, registries, etc.

During operation, the forwarders 204 identify which indexers 206 receivedata collected from a data source 202 and forward the data to theappropriate indexers. Forwarders 204 can also perform operations on thedata before forwarding, including removing extraneous data, detectingtimestamps in the data, parsing data, indexing data, routing data basedon criteria relating to the data being routed, and/or performing otherdata transformations.

In some embodiments, a forwarder 204 may comprise a service accessibleto client devices 102 and host devices 106 via a network 104. Forexample, one type of forwarder 204 may be capable of consuming vastamounts of real-time data from a potentially large number of clientdevices 102 and/or host devices 106. The forwarder 204 may, for example,comprise a computing device which implements multiple data pipelines or“queues” to handle forwarding of network data to indexers 206. Aforwarder 204 may also perform many of the functions that are performedby an indexer. For example, a forwarder 204 may perform keywordextractions on raw data or parse raw data to create events. A forwarder204 may generate time stamps for events. Additionally or alternatively,a forwarder 204 may perform routing of events to indexers 206. Datastore 208 may contain events derived from machine data from a variety ofsources all pertaining to the same component in an IT environment, andthis data may be produced by the machine in question or by othercomponents in the IT environment.

2.5. Cloud-Based System Overview

The example data intake and query system 108 described in reference toFIG. 2 comprises several system components, including one or moreforwarders, indexers, and search heads. In some environments, a user ofa data intake and query system 108 may install and configure, oncomputing devices owned and operated by the user, one or more softwareapplications that implement some or all of these system components. Forexample, a user may install a software application on server computersowned by the user and configure each server to operate as one or more ofa forwarder, an indexer, a search head, etc. This arrangement generallymay be referred to as an “on-premises” solution. That is, the system 108is installed and operates on computing devices directly controlled bythe user of the system. Some users may prefer an on-premises solutionbecause it may provide a greater level of control over the configurationof certain aspects of the system (e.g., security, privacy, standards,controls, etc.). However, other users may instead prefer an arrangementin which the user is not directly responsible for providing and managingthe computing devices upon which various components of system 108operate.

In one embodiment, to provide an alternative to an entirely on-premisesenvironment for system 108, one or more of the components of a dataintake and query system instead may be provided as a cloud-basedservice. In this context, a cloud-based service refers to a servicehosted by one more computing resources that are accessible to end usersover a network, for example, by using a web browser or other applicationon a client device to interface with the remote computing resources. Forexample, a service provider may provide a cloud-based data intake andquery system by managing computing resources configured to implementvarious aspects of the system (e.g., forwarders, indexers, search heads,etc.) and by providing access to the system to end users via a network.Typically, a user may pay a subscription or other fee to use such aservice. Each subscribing user of the cloud-based service may beprovided with an account that enables the user to configure a customizedcloud-based system based on the user's preferences.

FIG. 3 illustrates a block diagram of an example cloud-based data intakeand query system. Similar to the system of FIG. 2, the networkedcomputer system 300 includes input data sources 202 and forwarders 204.These input data sources and forwarders may be in a subscriber's privatecomputing environment. Alternatively, they might be directly managed bythe service provider as part of the cloud service. In the example system300, one or more forwarders 204 and client devices 302 are coupled to acloud-based data intake and query system 306 via one or more networks304. Network 304 broadly represents one or more LANs, WANs, cellularnetworks, intranetworks, internetworks, etc., using any of wired,wireless, terrestrial microwave, satellite links, etc., and may includethe public Internet, and is used by client devices 302 and forwarders204 to access the system 306. Similar to the system of 38, each of theforwarders 204 may be configured to receive data from an input sourceand to forward the data to other components of the system 306 forfurther processing.

In some embodiments, a cloud-based data intake and query system 306 maycomprise a plurality of system instances 308. In general, each systeminstance 308 may include one or more computing resources managed by aprovider of the cloud-based system 306 made available to a particularsubscriber. The computing resources comprising a system instance 308may, for example, include one or more servers or other devicesconfigured to implement one or more forwarders, indexers, search heads,and other components of a data intake and query system, similar tosystem 108. As indicated above, a subscriber may use a web browser orother application of a client device 302 to access a web portal or otherinterface that enables the subscriber to configure an instance 308.

Providing a data intake and query system as described in reference tosystem 108 as a cloud-based service presents a number of challenges.Each of the components of a system 108 (e.g., forwarders, indexers, andsearch heads) may at times refer to various configuration files storedlocally at each component. These configuration files typically mayinvolve some level of user configuration to accommodate particular typesof data a user desires to analyze and to account for other userpreferences. However, in a cloud-based service context, users typicallymay not have direct access to the underlying computing resourcesimplementing the various system components (e.g., the computingresources comprising each system instance 308) and may desire to makesuch configurations indirectly, for example, using one or more web-basedinterfaces. Thus, the techniques and systems described herein forproviding user interfaces that enable a user to configure source typedefinitions are applicable to both on-premises and cloud-based servicecontexts, or some combination thereof (e.g., a hybrid system where bothan on-premises environment, such as SPLUNK® ENTERPRISE, and acloud-based environment, such as SPLUNK CLOUD™, are centrally visible).

2.6. Searching Externally-Archived Data

FIG. 4 shows a block diagram of an example of a data intake and querysystem 108 that provides transparent search facilities for data systemsthat are external to the data intake and query system. Such facilitiesare available in the Splunk® Analytics for Hadoop® system provided bySplunk Inc. of San Francisco, Calif. Splunk® Analytics for Hadoop®represents an analytics platform that enables business and IT teams torapidly explore, analyze, and visualize data in Hadoop® and NoSQL datastores.

The search head 210 of the data intake and query system receives searchrequests from one or more client devices 404 over network connections420. As discussed above, the data intake and query system 108 may residein an enterprise location, in the cloud, etc. FIG. 4 illustrates thatmultiple client devices 404 a, 404 b, . . . , 404 n may communicate withthe data intake and query system 108. The client devices 404 maycommunicate with the data intake and query system using a variety ofconnections. For example, one client device in FIG. 4 is illustrated ascommunicating over an Internet (Web) protocol, another client device isillustrated as communicating via a command line interface, and anotherclient device is illustrated as communicating via a software developerkit (SDK).

The search head 210 analyzes the received search request to identifyrequest parameters. If a search request received from one of the clientdevices 404 references an index maintained by the data intake and querysystem, then the search head 210 connects to one or more indexers 206 ofthe data intake and query system for the index referenced in the requestparameters. That is, if the request parameters of the search requestreference an index, then the search head accesses the data in the indexvia the indexer. The data intake and query system 108 may include one ormore indexers 206, depending on system access resources andrequirements. As described further below, the indexers 206 retrieve datafrom their respective local data stores 208 as specified in the searchrequest. The indexers and their respective data stores can comprise oneor more storage devices and typically reside on the same system, thoughthey may be connected via a local network connection.

If the request parameters of the received search request reference anexternal data collection, which is not accessible to the indexers 206 orunder the management of the data intake and query system, then thesearch head 210 can access the external data collection through anExternal Result Provider (ERP) process 410. An external data collectionmay be referred to as a “virtual index” (plural, “virtual indices”). AnERP process provides an interface through which the search head 210 mayaccess virtual indices.

Thus, a search reference to an index of the system relates to a locallystored and managed data collection. In contrast, a search reference to avirtual index relates to an externally stored and managed datacollection, which the search head may access through one or more ERPprocesses 410, 412. FIG. 4 shows two ERP processes 410, 412 that connectto respective remote (external) virtual indices, which are indicated asa Hadoop or another system 414 (e.g., Amazon S3, Amazon EMR, otherHadoop® Compatible File Systems (HCFS), etc.) and a relational databasemanagement system (RDBMS) 416. Other virtual indices may include otherfile organizations and protocols, such as Structured Query Language(SQL) and the like. The ellipses between the ERP processes 410, 412indicate optional additional ERP processes of the data intake and querysystem 108. An ERP process may be a computer process that is initiatedor spawned by the search head 210 and is executed by the search dataintake and query system 108. Alternatively or additionally, an ERPprocess may be a process spawned by the search head 210 on the same ordifferent host system as the search head 210 resides.

The search head 210 may spawn a single ERP process in response tomultiple virtual indices referenced in a search request, or the searchhead may spawn different ERP processes for different virtual indices.Generally, virtual indices that share common data configurations orprotocols may share ERP processes. For example, all search queryreferences to a Hadoop file system may be processed by the same ERPprocess, if the ERP process is suitably configured. Likewise, all searchquery references to a SQL database may be processed by the same ERPprocess. In addition, the search head may provide a common ERP processfor common external data source types (e.g., a common vendor may utilizea common ERP process, even if the vendor includes different data storagesystem types, such as Hadoop and SQL). Common indexing schemes also maybe handled by common ERP processes, such as flat text files or Weblogfiles.

The search head 210 determines the number of ERP processes to beinitiated via the use of configuration parameters that are included in asearch request message. Generally, there is a one-to-many relationshipbetween an external results provider “family” and ERP processes. Thereis also a one-to-many relationship between an ERP process andcorresponding virtual indices that are referred to in a search request.For example, using RDBMS, assume two independent instances of such asystem by one vendor, such as one RDBMS for production and another RDBMSused for development. In such a situation, it is likely preferable (butoptional) to use two ERP processes to maintain the independent operationas between production and development data. Both of the ERPs, however,will belong to the same family, because the two RDBMS system types arefrom the same vendor.

The ERP processes 410, 412 receive a search request from the search head210. The search head may optimize the received search request forexecution at the respective external virtual index. Alternatively, theERP process may receive a search request as a result of analysisperformed by the search head or by a different system process. The ERPprocesses 410, 412 can communicate with the search head 210 viaconventional input/output routines (e.g., standard in/standard out,etc.). In this way, the ERP process receives the search request from aclient device such that the search request may be efficiently executedat the corresponding external virtual index.

The ERP processes 410, 412 may be implemented as a process of the dataintake and query system. Each ERP process may be provided by the dataintake and query system, or may be provided by process or applicationproviders who are independent of the data intake and query system. Eachrespective ERP process may include an interface application installed ata computer of the external result provider that ensures propercommunication between the search support system and the external resultprovider. The ERP processes 410, 412 generate appropriate searchrequests in the protocol and syntax of the respective virtual indices414, 416, each of which corresponds to the search request received bythe search head 210. Upon receiving search results from theircorresponding virtual indices, the respective ERP process passes theresult to the search head 210, which may return or display the resultsor a processed set of results based on the returned results to therespective client device.

Client devices 404 may communicate with the data intake and query system108 through a network interface 420, e.g., one or more LANs, WANs,cellular networks, intranetworks, and/or internetworks using any ofwired, wireless, terrestrial microwave, satellite links, etc., and mayinclude the public Internet.

The analytics platform utilizing the External Result Provider processdescribed in more detail in U.S. Pat. No. 8,738,629, entitled “ExternalResult Provided Process For Retrieving Data Stored Using A DifferentConfiguration Or Protocol”, issued on 27 May 2014, U.S. Pat. No.8,738,587, entitled “PROCESSING A SYSTEM SEARCH REQUEST BY RETRIEVINGRESULTS FROM BOTH A NATIVE INDEX AND A VIRTUAL INDEX”, issued on 25 Jul.2013, U.S. patent application Ser. No. 14/266,832, entitled “PROCESSINGA SYSTEM SEARCH REQUEST ACROSS DISPARATE DATA COLLECTION SYSTEMS”, filedon 1 May 2014, and U.S. Pat. No. 9,514,189, entitled “PROCESSING ASYSTEM SEARCH REQUEST INCLUDING EXTERNAL DATA SOURCES”, issued on 6 Dec.2016, each of which is hereby incorporated by reference in its entiretyfor all purposes.

2.6.1. ERP Process Features

The ERP processes described above may include two operation modes: astreaming mode and a reporting mode. The ERP processes can operate instreaming mode only, in reporting mode only, or in both modessimultaneously. Operating in both modes simultaneously is referred to asmixed mode operation. In a mixed mode operation, the ERP at some pointcan stop providing the search head with streaming results and onlyprovide reporting results thereafter, or the search head at some pointmay start ignoring streaming results it has been using and only usereporting results thereafter.

The streaming mode returns search results in real time, with minimalprocessing, in response to the search request. The reporting modeprovides results of a search request with processing of the searchresults prior to providing them to the requesting search head, which inturn provides results to the requesting client device. ERP operationwith such multiple modes provides greater performance flexibility withregard to report time, search latency, and resource utilization.

In a mixed mode operation, both streaming mode and reporting mode areoperating simultaneously. The streaming mode results (e.g., the machinedata obtained from the external data source) are provided to the searchhead, which can then process the results data (e.g., break the machinedata into events, timestamp it, filter it, etc.) and integrate theresults data with the results data from other external data sources,and/or from data stores of the search head. The search head performssuch processing and can immediately start returning interim (streamingmode) results to the user at the requesting client device;simultaneously, the search head is waiting for the ERP process toprocess the data it is retrieving from the external data source as aresult of the concurrently executing reporting mode.

In some instances, the ERP process initially operates in a mixed mode,such that the streaming mode operates to enable the ERP quickly toreturn interim results (e.g., some of the machined data or unprocesseddata necessary to respond to a search request) to the search head,enabling the search head to process the interim results and beginproviding to the client or search requester interim results that areresponsive to the query. Meanwhile, in this mixed mode, the ERP alsooperates concurrently in reporting mode, processing portions of machinedata in a manner responsive to the search query. Upon determining thatit has results from the reporting mode available to return to the searchhead, the ERP may halt processing in the mixed mode at that time (orsome later time) by stopping the return of data in streaming mode to thesearch head and switching to reporting mode only. The ERP at this pointstarts sending interim results in reporting mode to the search head,which in turn may then present this processed data responsive to thesearch request to the client or search requester. Typically the searchhead switches from using results from the ERP's streaming mode ofoperation to results from the ERP's reporting mode of operation when thehigher bandwidth results from the reporting mode outstrip the amount ofdata processed by the search head in the streaming mode of ERPoperation.

A reporting mode may have a higher bandwidth because the ERP does nothave to spend time transferring data to the search head for processingall the machine data. In addition, the ERP may optionally direct anotherprocessor to do the processing.

The streaming mode of operation does not need to be stopped to gain thehigher bandwidth benefits of a reporting mode; the search head couldsimply stop using the streaming mode results—and start using thereporting mode results—when the bandwidth of the reporting mode hascaught up with or exceeded the amount of bandwidth provided by thestreaming mode. Thus, a variety of triggers and ways to accomplish asearch head's switch from using streaming mode results to usingreporting mode results may be appreciated by one skilled in the art.

The reporting mode can involve the ERP process (or an external system)performing event breaking, time stamping, filtering of events to matchthe search query request, and calculating statistics on the results. Theuser can request particular types of data, such as if the search queryitself involves types of events, or the search request may ask forstatistics on data, such as on events that meet the search request. Ineither case, the search head understands the query language used in thereceived query request, which may be a proprietary language. Oneexemplary query language is Splunk Processing Language (SPL) developedby the assignee of the application, Splunk Inc. The search headtypically understands how to use that language to obtain data from theindexers, which store data in a format used by the SPLUNK® Enterprisesystem.

The ERP processes support the search head, as the search head is notordinarily configured to understand the format in which data is storedin external data sources such as Hadoop or SQL data systems. Rather, theERP process performs that translation from the query submitted in thesearch support system's native format (e.g., SPL if SPLUNK® ENTERPRISEis used as the search support system) to a search query request formatthat will be accepted by the corresponding external data system. Theexternal data system typically stores data in a different format fromthat of the search support system's native index format, and it utilizesa different query language (e.g., SQL or MapReduce, rather than SPL orthe like).

As noted, the ERP process can operate in the streaming mode alone. Afterthe ERP process has performed the translation of the query request andreceived raw results from the streaming mode, the search head canintegrate the returned data with any data obtained from local datasources (e.g., native to the search support system), other external datasources, and other ERP processes (if such operations were required tosatisfy the terms of the search query). An advantage of mixed modeoperation is that, in addition to streaming mode, the ERP process isalso executing concurrently in reporting mode. Thus, the ERP process(rather than the search head) is processing query results (e.g.,performing event breaking, timestamping, filtering, possibly calculatingstatistics if required to be responsive to the search query request,etc.). It should be apparent to those skilled in the art that additionaltime is needed for the ERP process to perform the processing in such aconfiguration. Therefore, the streaming mode will allow the search headto start returning interim results to the user at the client devicebefore the ERP process can complete sufficient processing to startreturning any search results. The switchover between streaming andreporting mode happens when the ERP process determines that theswitchover is appropriate, such as when the ERP process determines itcan begin returning meaningful results from its reporting mode.

The operation described above illustrates the source of operationallatency: streaming mode has low latency (immediate results) and usuallyhas relatively low bandwidth (fewer results can be returned per unit oftime). In contrast, the concurrently running reporting mode hasrelatively high latency (it has to perform a lot more processing beforereturning any results) and usually has relatively high bandwidth (moreresults can be processed per unit of time). For example, when the ERPprocess does begin returning report results, it returns more processedresults than in the streaming mode, because, e.g., statistics only needto be calculated to be responsive to the search request. That is, theERP process doesn't have to take time to first return machine data tothe search head. As noted, the ERP process could be configured tooperate in streaming mode alone and return just the machine data for thesearch head to process in a way that is responsive to the searchrequest. Alternatively, the ERP process can be configured to operate inthe reporting mode only. Also, the ERP process can be configured tooperate in streaming mode and reporting mode concurrently, as described,with the ERP process stopping the transmission of streaming results tothe search head when the concurrently running reporting mode has caughtup and started providing results. The reporting mode does not requirethe processing of all machine data that is responsive to the searchquery request before the ERP process starts returning results; rather,the reporting mode usually performs processing of chunks of events andreturns the processing results to the search head for each chunk.

For example, an ERP process can be configured to merely return thecontents of a search result file verbatim, with little or no processingof results. That way, the search head performs all processing (such asparsing byte streams into events, filtering, etc.). The ERP process canbe configured to perform additional intelligence, such as analyzing thesearch request and handling all the computation that a native searchindexer process would otherwise perform. In this way, the configured ERPprocess provides greater flexibility in features while operatingaccording to desired preferences, such as response latency and resourcerequirements.

2.7. Data Ingestion

FIG. 5A is a flow chart of an example method that illustrates howindexers process, index, and store data received from forwarders, inaccordance with example embodiments. The data flow illustrated in FIG.5A is provided for illustrative purposes only; those skilled in the artwould understand that one or more of the steps of the processesillustrated in FIG. 5A may be removed or that the ordering of the stepsmay be changed. Furthermore, for the purposes of illustrating a clearexample, one or more particular system components are described in thecontext of performing various operations during each of the data flowstages. For example, a forwarder is described as receiving andprocessing machine data during an input phase; an indexer is describedas parsing and indexing machine data during parsing and indexing phases;and a search head is described as performing a search query during asearch phase. However, other system arrangements and distributions ofthe processing steps across system components may be used.

2.7.1. Input

At block 502, a forwarder receives data from an input source, such as adata source 202 shown in FIG. 2. A forwarder initially may receive thedata as a raw data stream generated by the input source. For example, aforwarder may receive a data stream from a log file generated by anapplication server, from a stream of network data from a network device,or from any other source of data. In some embodiments, a forwarderreceives the raw data and may segment the data stream into “blocks”,possibly of a uniform data size, to facilitate subsequent processingsteps.

At block 504, a forwarder or other system component annotates each blockgenerated from the raw data with one or more metadata fields. Thesemetadata fields may, for example, provide information related to thedata block as a whole and may apply to each event that is subsequentlyderived from the data in the data block. For example, the metadatafields may include separate fields specifying each of a host, a source,and a source type related to the data block. A host field may contain avalue identifying a host name or IP address of a device that generatedthe data. A source field may contain a value identifying a source of thedata, such as a pathname of a file or a protocol and port related toreceived network data. A source type field may contain a valuespecifying a particular source type label for the data. Additionalmetadata fields may also be included during the input phase, such as acharacter encoding of the data, if known, and possibly other values thatprovide information relevant to later processing steps. In someembodiments, a forwarder forwards the annotated data blocks to anothersystem component (typically an indexer) for further processing.

The data intake and query system allows forwarding of data from one dataintake and query instance to another, or even to a third-party system.The data intake and query system can employ different types offorwarders in a configuration.

In some embodiments, a forwarder may contain the essential componentsneeded to forward data. A forwarder can gather data from a variety ofinputs and forward the data to an indexer for indexing and searching. Aforwarder can also tag metadata (e.g., source, source type, host, etc.).

In some embodiments, a forwarder has the capabilities of theaforementioned forwarder as well as additional capabilities. Theforwarder can parse data before forwarding the data (e.g., can associatea time stamp with a portion of data and create an event, etc.) and canroute data based on criteria such as source or type of event. Theforwarder can also index data locally while forwarding the data toanother indexer.

2.7.2. Parsing

At block 506, an indexer receives data blocks from a forwarder andparses the data to organize the data into events. In some embodiments,to organize the data into events, an indexer may determine a source typeassociated with each data block (e.g., by extracting a source type labelfrom the metadata fields associated with the data block, etc.) and referto a source type configuration corresponding to the identified sourcetype. The source type definition may include one or more properties thatindicate to the indexer to automatically determine the boundaries withinthe received data that indicate the portions of machine data for events.In general, these properties may include regular expression-based rulesor delimiter rules where, for example, event boundaries may be indicatedby predefined characters or character strings. These predefinedcharacters may include punctuation marks or other special charactersincluding, for example, carriage returns, tabs, spaces, line breaks,etc. If a source type for the data is unknown to the indexer, an indexermay infer a source type for the data by examining the structure of thedata. Then, the indexer can apply an inferred source type definition tothe data to create the events.

At block 508, the indexer determines a timestamp for each event. Similarto the process for parsing machine data, an indexer may again refer to asource type definition associated with the data to locate one or moreproperties that indicate instructions for determining a timestamp foreach event. The properties may, for example, instruct an indexer toextract a time value from a portion of data for the event, tointerpolate time values based on timestamps associated with temporallyproximate events, to create a timestamp based on a time the portion ofmachine data was received or generated, to use the timestamp of aprevious event, or use any other rules for determining timestamps.

At block 510, the indexer associates with each event one or moremetadata fields including a field containing the timestamp determinedfor the event. In some embodiments, a timestamp may be included in themetadata fields. These metadata fields may include any number of“default fields” that are associated with all events, and may alsoinclude one more custom fields as defined by a user. Similar to themetadata fields associated with the data blocks at block 504, thedefault metadata fields associated with each event may include a host,source, and source type field including or in addition to a fieldstoring the timestamp.

At block 512, an indexer may optionally apply one or moretransformations to data included in the events created at block 506. Forexample, such transformations can include removing a portion of an event(e.g., a portion used to define event boundaries, extraneous charactersfrom the event, other extraneous text, etc.), masking a portion of anevent (e.g., masking a credit card number), removing redundant portionsof an event, etc. The transformations applied to events may, forexample, be specified in one or more configuration files and referencedby one or more source type definitions.

FIG. 5C illustrates an illustrative example of machine data can bestored in a data store in accordance with various disclosed embodiments.In other embodiments, machine data can be stored in a flat file in acorresponding bucket with an associated index file, such as a timeseries index or “TSIDX.” As such, the depiction of machine data andassociated metadata as rows and columns in the table of FIG. 5C ismerely illustrative and is not intended to limit the data format inwhich the machine data and metadata is stored in various embodimentsdescribed herein. In one particular embodiment, machine data can bestored in a compressed or encrypted formatted. In such embodiments, themachine data can be stored with or be associated with data thatdescribes the compression or encryption scheme with which the machinedata is stored. The information about the compression or encryptionscheme can be used to decompress or decrypt the machine data, and anymetadata with which it is stored, at search time.

As mentioned above, certain metadata, e.g., host 536, source 537, sourcetype 538 and timestamps 535 can be generated for each event, andassociated with a corresponding portion of machine data 539 when storingthe event data in a data store, e.g., data store 208. Any of themetadata can be extracted from the corresponding machine data, orsupplied or defined by an entity, such as a user or computer system. Themetadata fields can become part of or stored with the event. Note thatwhile the time-stamp metadata field can be extracted from the raw dataof each event, the values for the other metadata fields may bedetermined by the indexer based on information it receives pertaining tothe source of the data separate from the machine data.

While certain default or user-defined metadata fields can be extractedfrom the machine data for indexing purposes, all the machine data withinan event can be maintained in its original condition. As such, inembodiments in which the portion of machine data included in an event isunprocessed or otherwise unaltered, it is referred to herein as aportion of raw machine data. In other embodiments, the port of machinedata in an event can be processed or otherwise altered. As such, unlesscertain information needs to be removed for some reasons (e.g.extraneous information, confidential information), all the raw machinedata contained in an event can be preserved and saved in its originalform. Accordingly, the data store in which the event records are storedis sometimes referred to as a “raw record data store.” The raw recorddata store contains a record of the raw event data tagged with thevarious default fields.

In FIG. 5C, the first three rows of the table represent events 531, 532,and 533 and are related to a server access log that records requestsfrom multiple clients processed by a server, as indicated by entry of“access.log” in the source column 536.

In the example shown in FIG. 5C, each of the events 531-534 isassociated with a discrete request made from a client device. The rawmachine data generated by the server and extracted from a server accesslog can include the IP address of the client 540, the user id of theperson requesting the document 541, the time the server finishedprocessing the request 542, the request line from the client 543, thestatus code returned by the server to the client 545, the size of theobject returned to the client (in this case, the gif file requested bythe client) 546 and the time spent to serve the request in microseconds544. As seen in FIG. 5C, all the raw machine data retrieved from theserver access log is retained and stored as part of the correspondingevents, 1221, 1222, and 1223 in the data store.

Event 534 is associated with an entry in a server error log, asindicated by “error.log” in the source column 537, that records errorsthat the server encountered when processing a client request. Similar tothe events related to the server access log, all the raw machine data inthe error log file pertaining to event 534 can be preserved and storedas part of the event 534.

Saving minimally processed or unprocessed machine data in a data storeassociated with metadata fields in the manner similar to that shown inFIG. 5C is advantageous because it allows search of all the machine dataat search time instead of searching only previously specified andidentified fields or field-value pairs. As mentioned above, because datastructures used by various embodiments of the present disclosuremaintain the underlying raw machine data and use a late-binding schemafor searching the raw machines data, it enables a user to continueinvestigating and learn valuable insights about the raw data. In otherwords, the user is not compelled to know about all the fields ofinformation that will be needed at data ingestion time. As a user learnsmore about the data in the events, the user can continue to refine thelate-binding schema by defining new extraction rules, or modifying ordeleting existing extraction rules used by the system.

2.7.3. Indexing

At blocks 514 and 516, an indexer can optionally generate a keywordindex to facilitate fast keyword searching for events. To build akeyword index, at block 514, the indexer identifies a set of keywords ineach event. At block 516, the indexer includes the identified keywordsin an index, which associates each stored keyword with referencepointers to events containing that keyword (or to locations withinevents where that keyword is located, other location identifiers, etc.).When an indexer subsequently receives a keyword-based query, the indexercan access the keyword index to quickly identify events containing thekeyword.

In some embodiments, the keyword index may include entries for fieldname-value pairs found in events, where a field name-value pair caninclude a pair of keywords connected by a symbol, such as an equals signor colon. This way, events containing these field name-value pairs canbe quickly located. In some embodiments, fields can automatically begenerated for some or all of the field names of the field name-valuepairs at the time of indexing. For example, if the string“dest=10.0.1.2” is found in an event, a field named “dest” may becreated for the event, and assigned a value of “10.0.1.2”.

At block 518, the indexer stores the events with an associated timestampin a data store 208. Timestamps enable a user to search for events basedon a time range. In some embodiments, the stored events are organizedinto “buckets,” where each bucket stores events associated with aspecific time range based on the timestamps associated with each event.This improves time-based searching, as well as allows for events withrecent timestamps, which may have a higher likelihood of being accessed,to be stored in a faster memory to facilitate faster retrieval. Forexample, buckets containing the most recent events can be stored inflash memory rather than on a hard disk. In some embodiments, eachbucket may be associated with an identifier, a time range, and a sizeconstraint.

Each indexer 206 may be responsible for storing and searching a subsetof the events contained in a corresponding data store 208. Bydistributing events among the indexers and data stores, the indexers cananalyze events for a query in parallel. For example, using map-reducetechniques, each indexer returns partial responses for a subset ofevents to a search head that combines the results to produce an answerfor the query. By storing events in buckets for specific time ranges, anindexer may further optimize the data retrieval process by searchingbuckets corresponding to time ranges that are relevant to a query.

In some embodiments, each indexer has a home directory and a colddirectory. The home directory of an indexer stores hot buckets and warmbuckets, and the cold directory of an indexer stores cold buckets. A hotbucket is a bucket that is capable of receiving and storing events. Awarm bucket is a bucket that can no longer receive events for storagebut has not yet been moved to the cold directory. A cold bucket is abucket that can no longer receive events and may be a bucket that waspreviously stored in the home directory. The home directory may bestored in faster memory, such as flash memory, as events may be activelywritten to the home directory, and the home directory may typicallystore events that are more frequently searched and thus are accessedmore frequently. The cold directory may be stored in slower and/orlarger memory, such as a hard disk, as events are no longer beingwritten to the cold directory, and the cold directory may typicallystore events that are not as frequently searched and thus are accessedless frequently. In some embodiments, an indexer may also have aquarantine bucket that contains events having potentially inaccurateinformation, such as an incorrect time stamp associated with the eventor a time stamp that appears to be an unreasonable time stamp for thecorresponding event. The quarantine bucket may have events from any timerange; as such, the quarantine bucket may always be searched at searchtime. Additionally, an indexer may store old, archived data in a frozenbucket that is not capable of being searched at search time. In someembodiments, a frozen bucket may be stored in slower and/or largermemory, such as a hard disk, and may be stored in offline and/or remotestorage.

Moreover, events and buckets can also be replicated across differentindexers and data stores to facilitate high availability and disasterrecovery as described in U.S. Pat. No. 9,130,971, entitled “Site-BasedSearch Affinity”, issued on 8 Sep. 2015, and in U.S. patent Ser. No.14/266,817, entitled “Multi-Site Clustering”, issued on 1 Sep. 2015,each of which is hereby incorporated by reference in its entirety forall purposes.

FIG. 5B is a block diagram of an example data store 501 that includes adirectory for each index (or partition) that contains a portion of datamanaged by an indexer. FIG. 5B further illustrates details of anembodiment of an inverted index 507B and an event reference array 515associated with inverted index 507B.

The data store 501 can correspond to a data store 208 that stores eventsmanaged by an indexer 206 or can correspond to a different data storeassociated with an indexer 206. In the illustrated embodiment, the datastore 501 includes a _main directory 503 associated with a _main indexand a _test directory 505 associated with a _test index. However, thedata store 501 can include fewer or more directories. In someembodiments, multiple indexes can share a single directory or allindexes can share a common directory. Additionally, although illustratedas a single data store 501, it will be understood that the data store501 can be implemented as multiple data stores storing differentportions of the information shown in FIG. 5B. For example, a singleindex or partition can span multiple directories or multiple datastores, and can be indexed or searched by multiple correspondingindexers.

In the illustrated embodiment of FIG. 5B, the index-specific directories503 and 505 include inverted indexes 507A, 507B and 509A, 509B,respectively. The inverted indexes 507A . . . 507B, and 509A . . . 509Bcan be keyword indexes or field-value pair indexes described herein andcan include less or more information that depicted in FIG. 5B.

In some embodiments, the inverted index 507A . . . 507B, and 509A . . .509B can correspond to a distinct time-series bucket that is managed bythe indexer 206 and that contains events corresponding to the relevantindex (e.g., _main index, _test index). As such, each inverted index cancorrespond to a particular range of time for an index. Additional files,such as high performance indexes for each time-series bucket of anindex, can also be stored in the same directory as the inverted indexes507A . . . 507B, and 509A . . . 509B. In some embodiments inverted index507A . . . 507B, and 509A . . . 509B can correspond to multipletime-series buckets or inverted indexes 507A . . . 507B, and 509A . . .509B can correspond to a single time-series bucket.

Each inverted index 507A . . . 507B, and 509A . . . 509B can include oneor more entries, such as keyword (or token) entries or field-value pairentries. Furthermore, in certain embodiments, the inverted indexes 507A. . . 507B, and 509A . . . 509B can include additional information, suchas a time range 523 associated with the inverted index or an indexidentifier 525 identifying the index associated with the inverted index507A . . . 507B, and 509A . . . 509B. However, each inverted index 507A. . . 507B, and 509A . . . 509B can include less or more informationthan depicted.

Token entries, such as token entries 511 illustrated in inverted index507B, can include a token 511A (e.g., “error,” “itemID,” etc.) and eventreferences 511B indicative of events that include the token. Forexample, for the token “error,” the corresponding token entry includesthe token “error” and an event reference, or unique identifier, for eachevent stored in the corresponding time-series bucket that includes thetoken “error.” In the illustrated embodiment of FIG. 5B, the error tokenentry includes the identifiers 3, 5, 6, 8, 11, and 12 corresponding toevents managed by the indexer 206 and associated with the index _main503 that are located in the time-series bucket associated with theinverted index 507B.

In some cases, some token entries can be default entries, automaticallydetermined entries, or user specified entries. In some embodiments, theindexer 206 can identify each word or string in an event as a distincttoken and generate a token entry for it. In some cases, the indexer 206can identify the beginning and ending of tokens based on punctuation,spaces, as described in greater detail herein. In certain cases, theindexer 206 can rely on user input or a configuration file to identifytokens for token entries 511, etc. It will be understood that anycombination of token entries can be included as a default, automaticallydetermined, a or included based on user-specified criteria.

Similarly, field-value pair entries, such as field-value pair entries513 shown in inverted index 507B, can include a field-value pair 513Aand event references 513B indicative of events that include a fieldvalue that corresponds to the field-value pair. For example, for afield-value pair sourcetype::sendmail, a field-value pair entry wouldinclude the field-value pair sourcetype::sendmail and a uniqueidentifier, or event reference, for each event stored in thecorresponding time-series bucket that includes a sendmail sourcetype.

In some cases, the field-value pair entries 513 can be default entries,automatically determined entries, or user specified entries. As anon-limiting example, the field-value pair entries for the fields host,source, sourcetype can be included in the inverted indexes 507A . . .507B, and 509A . . . 509B as a default. As such, all of the invertedindexes 507A . . . 507B, and 509A . . . 509B can include field-valuepair entries for the fields host, source, sourcetype. As yet anothernon-limiting example, the field-value pair entries for the IP_addressfield can be user specified and may only appear in the inverted index507B based on user-specified criteria. As another non-limiting example,as the indexer indexes the events, it can automatically identifyfield-value pairs and create field-value pair entries. For example,based on the indexers review of events, it can identify IP_address as afield in each event and add the IP_address field-value pair entries tothe inverted index 507B. It will be understood that any combination offield-value pair entries can be included as a default, automaticallydetermined, or included based on user-specified criteria.

Each unique identifier 517, or event reference, can correspond to aunique event located in the time series bucket. However, the same eventreference can be located in multiple entries. For example if an eventhas a sourcetype splunkd, host www1 and token “warning,” then the uniqueidentifier for the event will appear in the field-value pair entriessourcetype::splunkd and host::www1, as well as the token entry“warning.” With reference to the illustrated embodiment of FIG. 5B andthe event that corresponds to the event reference 3, the event reference3 is found in the field-value pair entries 513 host::hostA,source::sourceB, sourcetype::sourcetypeA, and IP_address::91.205.189.15indicating that the event corresponding to the event references is fromhostA, sourceB, of sourcetypeA, and includes 91.205.189.15 in the eventdata.

For some fields, the unique identifier is located in only onefield-value pair entry for a particular field. For example, the invertedindex may include four sourcetype field-value pair entries correspondingto four different sourcetypes of the events stored in a bucket (e.g.,sourcetypes:sendmail, splunkd, web_access, and web_service). Withinthose four sourcetype field-value pair entries, an identifier for aparticular event may appear in only one of the field-value pair entries.With continued reference to the example illustrated embodiment of FIG.5B, since the event reference 7 appears in the field-value pair entrysourcetype::sourcetypeA, then it does not appear in the otherfield-value pair entries for the sourcetype field, includingsourcetype::sourcetypeB, sourcetype::sourcetypeC, andsourcetype::sourcetypeD.

The event references 517 can be used to locate the events in thecorresponding bucket. For example, the inverted index can include, or beassociated with, an event reference array 515. The event reference array515 can include an array entry 517 for each event reference in theinverted index 507B. Each array entry 517 can include locationinformation 519 of the event corresponding to the unique identifier(non-limiting example: seek address of the event), a timestamp 521associated with the event, or additional information regarding the eventassociated with the event reference, etc.

For each token entry 511 or field-value pair entry 513, the eventreference 501B or unique identifiers can be listed in chronologicalorder or the value of the event reference can be assigned based onchronological data, such as a timestamp associated with the eventreferenced by the event reference. For example, the event reference 1 inthe illustrated embodiment of FIG. 5B can correspond to thefirst-in-time event for the bucket, and the event reference 12 cancorrespond to the last-in-time event for the bucket. However, the eventreferences can be listed in any order, such as reverse chronologicalorder, ascending order, descending order, or some other order, etc.Further, the entries can be sorted. For example, the entries can besorted alphabetically (collectively or within a particular group), byentry origin (e.g., default, automatically generated, user-specified,etc.), by entry type (e.g., field-value pair entry, token entry, etc.),or chronologically by when added to the inverted index, etc. In theillustrated embodiment of FIG. 5B, the entries are sorted first by entrytype and then alphabetically.

As a non-limiting example of how the inverted indexes 507A . . . 507B,and 509A . . . 509B can be used during a data categorization requestcommand, the indexers can receive filter criteria indicating data thatis to be categorized and categorization criteria indicating how the datais to be categorized. Example filter criteria can include, but is notlimited to, indexes (or partitions), hosts, sources, sourcetypes, timeranges, field identifier, keywords, etc.

Using the filter criteria, the indexer identifies relevant invertedindexes to be searched. For example, if the filter criteria includes aset of partitions, the indexer can identify the inverted indexes storedin the directory corresponding to the particular partition as relevantinverted indexes. Other means can be used to identify inverted indexesassociated with a partition of interest. For example, in someembodiments, the indexer can review an entry in the inverted indexes,such as an index-value pair entry 513 to determine if a particularinverted index is relevant. If the filter criteria does not identify anypartition, then the indexer can identify all inverted indexes managed bythe indexer as relevant inverted indexes.

Similarly, if the filter criteria includes a time range, the indexer canidentify inverted indexes corresponding to buckets that satisfy at leasta portion of the time range as relevant inverted indexes. For example,if the time range is last hour then the indexer can identify allinverted indexes that correspond to buckets storing events associatedwith timestamps within the last hour as relevant inverted indexes.

When used in combination, an index filter criterion specifying one ormore partitions and a time range filter criterion specifying aparticular time range can be used to identify a subset of invertedindexes within a particular directory (or otherwise associated with aparticular partition) as relevant inverted indexes. As such, the indexercan focus the processing to only a subset of the total number ofinverted indexes that the indexer manages.

Once the relevant inverted indexes are identified, the indexer canreview them using any additional filter criteria to identify events thatsatisfy the filter criteria. In some cases, using the known location ofthe directory in which the relevant inverted indexes are located, theindexer can determine that any events identified using the relevantinverted indexes satisfy an index filter criterion. For example, if thefilter criteria includes a partition main, then the indexer candetermine that any events identified using inverted indexes within thepartition main directory (or otherwise associated with the partitionmain) satisfy the index filter criterion.

Furthermore, based on the time range associated with each invertedindex, the indexer can determine that that any events identified using aparticular inverted index satisfies a time range filter criterion. Forexample, if a time range filter criterion is for the last hour and aparticular inverted index corresponds to events within a time range of50 minutes ago to 35 minutes ago, the indexer can determine that anyevents identified using the particular inverted index satisfy the timerange filter criterion. Conversely, if the particular inverted indexcorresponds to events within a time range of 59 minutes ago to 62minutes ago, the indexer can determine that some events identified usingthe particular inverted index may not satisfy the time range filtercriterion.

Using the inverted indexes, the indexer can identify event references(and therefore events) that satisfy the filter criteria. For example, ifthe token “error” is a filter criterion, the indexer can track all eventreferences within the token entry “error.” Similarly, the indexer canidentify other event references located in other token entries orfield-value pair entries that match the filter criteria. The system canidentify event references located in all of the entries identified bythe filter criteria. For example, if the filter criteria include thetoken “error” and field-value pair sourcetype::web_ui, the indexer cantrack the event references found in both the token entry “error” and thefield-value pair entry sourcetype::web_ui. As mentioned previously, insome cases, such as when multiple values are identified for a particularfilter criterion (e.g., multiple sources for a source filter criterion),the system can identify event references located in at least one of theentries corresponding to the multiple values and in all other entriesidentified by the filter criteria. The indexer can determine that theevents associated with the identified event references satisfy thefilter criteria.

In some cases, the indexer can further consult a timestamp associatedwith the event reference to determine whether an event satisfies thefilter criteria. For example, if an inverted index corresponds to a timerange that is partially outside of a time range filter criterion, thenthe indexer can consult a timestamp associated with the event referenceto determine whether the corresponding event satisfies the time rangecriterion. In some embodiments, to identify events that satisfy a timerange, the indexer can review an array, such as the event referencearray 1614 that identifies the time associated with the events.Furthermore, as mentioned above using the known location of thedirectory in which the relevant inverted indexes are located (or otherindex identifier), the indexer can determine that any events identifiedusing the relevant inverted indexes satisfy the index filter criterion.

In some cases, based on the filter criteria, the indexer reviews anextraction rule. In certain embodiments, if the filter criteria includesa field name that does not correspond to a field-value pair entry in aninverted index, the indexer can review an extraction rule, which may belocated in a configuration file, to identify a field that corresponds toa field-value pair entry in the inverted index.

For example, the filter criteria includes a field name “sessionID” andthe indexer determines that at least one relevant inverted index doesnot include a field-value pair entry corresponding to the field namesessionID, the indexer can review an extraction rule that identifies howthe sessionID field is to be extracted from a particular host, source,or sourcetype (implicitly identifying the particular host, source, orsourcetype that includes a sessionID field). The indexer can replace thefield name “sessionID” in the filter criteria with the identified host,source, or sourcetype. In some cases, the field name “sessionID” may beassociated with multiples hosts, sources, or sourcetypes, in which case,all identified hosts, sources, and sourcetypes can be added as filtercriteria. In some cases, the identified host, source, or sourcetype canreplace or be appended to a filter criterion, or be excluded. Forexample, if the filter criteria includes a criterion for source S1 andthe “sessionID” field is found in source S2, the source S2 can replaceS1 in the filter criteria, be appended such that the filter criteriaincludes source S1 and source S2, or be excluded based on the presenceof the filter criterion source S1. If the identified host, source, orsourcetype is included in the filter criteria, the indexer can thenidentify a field-value pair entry in the inverted index that includes afield value corresponding to the identity of the particular host,source, or sourcetype identified using the extraction rule.

Once the events that satisfy the filter criteria are identified, thesystem, such as the indexer 206 can categorize the results based on thecategorization criteria. The categorization criteria can includecategories for grouping the results, such as any combination ofpartition, source, sourcetype, or host, or other categories or fields asdesired.

The indexer can use the categorization criteria to identifycategorization criteria-value pairs or categorization criteria values bywhich to categorize or group the results. The categorizationcriteria-value pairs can correspond to one or more field-value pairentries stored in a relevant inverted index, one or more index-valuepairs based on a directory in which the inverted index is located or anentry in the inverted index (or other means by which an inverted indexcan be associated with a partition), or other criteria-value pair thatidentifies a general category and a particular value for that category.The categorization criteria values can correspond to the value portionof the categorization criteria-value pair.

As mentioned, in some cases, the categorization criteria-value pairs cancorrespond to one or more field-value pair entries stored in therelevant inverted indexes. For example, the categorizationcriteria-value pairs can correspond to field-value pair entries of host,source, and sourcetype (or other field-value pair entry as desired). Forinstance, if there are ten different hosts, four different sources, andfive different sourcetypes for an inverted index, then the invertedindex can include ten host field-value pair entries, four sourcefield-value pair entries, and five sourcetype field-value pair entries.The indexer can use the nineteen distinct field-value pair entries ascategorization criteria-value pairs to group the results.

Specifically, the indexer can identify the location of the eventreferences associated with the events that satisfy the filter criteriawithin the field-value pairs, and group the event references based ontheir location. As such, the indexer can identify the particular fieldvalue associated with the event corresponding to the event reference.For example, if the categorization criteria include host and sourcetype,the host field-value pair entries and sourcetype field-value pairentries can be used as categorization criteria-value pairs to identifythe specific host and sourcetype associated with the events that satisfythe filter criteria.

In addition, as mentioned, categorization criteria-value pairs cancorrespond to data other than the field-value pair entries in therelevant inverted indexes. For example, if partition or index is used asa categorization criterion, the inverted indexes may not includepartition field-value pair entries. Rather, the indexer can identify thecategorization criteria-value pair associated with the partition basedon the directory in which an inverted index is located, information inthe inverted index, or other information that associates the invertedindex with the partition, etc. As such a variety of methods can be usedto identify the categorization criteria-value pairs from thecategorization criteria.

Accordingly based on the categorization criteria (and categorizationcriteria-value pairs), the indexer can generate groupings based on theevents that satisfy the filter criteria. As a non-limiting example, ifthe categorization criteria includes a partition and sourcetype, thenthe groupings can correspond to events that are associated with eachunique combination of partition and sourcetype. For instance, if thereare three different partitions and two different sourcetypes associatedwith the identified events, then the six different groups can be formed,each with a unique partition value-sourcetype value combination.Similarly, if the categorization criteria includes partition,sourcetype, and host and there are two different partitions, threesourcetypes, and five hosts associated with the identified events, thenthe indexer can generate up to thirty groups for the results thatsatisfy the filter criteria. Each group can be associated with a uniquecombination of categorization criteria-value pairs (e.g., uniquecombinations of partition value sourcetype value, and host value).

In addition, the indexer can count the number of events associated witheach group based on the number of events that meet the uniquecombination of categorization criteria for a particular group (or matchthe categorization criteria-value pairs for the particular group). Withcontinued reference to the example above, the indexer can count thenumber of events that meet the unique combination of partition,sourcetype, and host for a particular group.

Each indexer communicates the groupings to the search head. The searchhead can aggregate the groupings from the indexers and provide thegroupings for display. In some cases, the groups are displayed based onat least one of the host, source, sourcetype, or partition associatedwith the groupings. In some embodiments, the search head can furtherdisplay the groups based on display criteria, such as a display order ora sort order as described in greater detail above.

As a non-limiting example and with reference to FIG. 5B, consider arequest received by an indexer 206 that includes the following filtercriteria: keyword=error, partition=main, time range=3/1/1716:22.00.000-16:28.00.000, sourcetype=sourcetypeC, host=hostB, and thefollowing categorization criteria: source.

Based on the above criteria, the indexer 206 identifies _main directory503 and can ignore _test directory 505 and any other partition-specificdirectories. The indexer determines that inverted partition 507B is arelevant partition based on its location within the _main directory 503and the time range associated with it. For sake of simplicity in thisexample, the indexer 206 determines that no other inverted indexes inthe _main directory 503, such as inverted index 507A satisfy the timerange criterion.

Having identified the relevant inverted index 507B, the indexer reviewsthe token entries 511 and the field-value pair entries 513 to identifyevent references, or events, that satisfy all of the filter criteria.

With respect to the token entries 511, the indexer can review the errortoken entry and identify event references 3, 5, 6, 8, 11, 12, indicatingthat the term “error” is found in the corresponding events. Similarly,the indexer can identify event references 4, 5, 6, 8, 9, 10, 11 in thefield-value pair entry sourcetype::sourcetypeC and event references 2,5, 6, 8, 10, 11 in the field-value pair entry host::hostB. As the filtercriteria did not include a source or an IP_address field-value pair, theindexer can ignore those field-value pair entries.

In addition to identifying event references found in at least one tokenentry or field-value pair entry (e.g., event references 3, 4, 5, 6, 8,9, 10, 11, 12), the indexer can identify events (and corresponding eventreferences) that satisfy the time range criterion using the eventreference array 1614 (e.g., event references 2, 3, 4, 5, 6, 7, 8, 9,10). Using the information obtained from the inverted index 507B(including the event reference array 515), the indexer 206 can identifythe event references that satisfy all of the filter criteria (e.g.,event references 5, 6, 8).

Having identified the events (and event references) that satisfy all ofthe filter criteria, the indexer 206 can group the event referencesusing the received categorization criteria (source). In doing so, theindexer can determine that event references 5 and 6 are located in thefield-value pair entry source::sourceD (or have matching categorizationcriteria-value pairs) and event reference 8 is located in thefield-value pair entry source::sourceC. Accordingly, the indexer cangenerate a sourceC group having a count of one corresponding toreference 8 and a sourceD group having a count of two corresponding toreferences 5 and 6. This information can be communicated to the searchhead. In turn the search head can aggregate the results from the variousindexers and display the groupings. As mentioned above, in someembodiments, the groupings can be displayed based at least in part onthe categorization criteria, including at least one of host, source,sourcetype, or partition.

It will be understood that a change to any of the filter criteria orcategorization criteria can result in different groupings. As a onenon-limiting example, a request received by an indexer 206 that includesthe following filter criteria: partition=main, time range=3/1/17 3/1/1716:21:20.000-16:28:17.000, and the following categorization criteria:host, source, sourcetype would result in the indexer identifying eventreferences 1-12 as satisfying the filter criteria. The indexer wouldthen generate up to 24 groupings corresponding to the 24 differentcombinations of the categorization criteria-value pairs, including host(hostA, hostB), source (sourceA, sourceB, sourceC, sourceD), andsourcetype (sourcetypeA, sourcetypeB, sourcetypeC). However, as thereare only twelve events identifiers in the illustrated embodiment andsome fall into the same grouping, the indexer generates eight groups andcounts as follows:

Group 1 (hostA, sourceA, sourcetypeA): 1 (event reference 7)

Group 2 (hostA, sourceA, sourcetypeB): 2 (event references 1, 12)

Group 3 (hostA, sourceA, sourcetypeC): 1 (event reference 4)

Group 4 (hostA, sourceB, sourcetypeA): 1 (event reference 3)

Group 5 (hostA, sourceB, sourcetypeC): 1 (event reference 9)

Group 6 (hostB, sourceC, sourcetypeA): 1 (event reference 2)

Group 7 (hostB, sourceC, sourcetypeC): 2 (event references 8, 11)

Group 8 (hostB, sourceD, sourcetypeC): 3 (event references 5, 6, 10)

As noted, each group has a unique combination of categorizationcriteria-value pairs or categorization criteria values. The indexercommunicates the groups to the search head for aggregation with resultsreceived from other indexers. In communicating the groups to the searchhead, the indexer can include the categorization criteria-value pairsfor each group and the count. In some embodiments, the indexer caninclude more or less information. For example, the indexer can includethe event references associated with each group and other identifyinginformation, such as the indexer or inverted index used to identify thegroups.

As another non-limiting examples, a request received by an indexer 206that includes the following filter criteria: partition=main, timerange=3/1/17 3/1/17 16:21:20.000-16:28:17.000, source=sourceA, sourceD,and keyword=itemID and the following categorization criteria: host,source, sourcetype would result in the indexer identifying eventreferences 4, 7, and 10 as satisfying the filter criteria, and generatethe following groups:

Group 1 (hostA, sourceA, sourcetypeC): 1 (event reference 4)

Group 2 (hostA, sourceA, sourcetypeA): 1 (event reference 7)

Group 3 (hostB, sourceD, sourcetypeC): 1 (event references 10)

The indexer communicates the groups to the search head for aggregationwith results received from other indexers. As will be understand thereare myriad ways for filtering and categorizing the events and eventreferences. For example, the indexer can review multiple invertedindexes associated with an partition or review the inverted indexes ofmultiple partitions, and categorize the data using any one or anycombination of partition, host, source, sourcetype, or other category,as desired.

Further, if a user interacts with a particular group, the indexer canprovide additional information regarding the group. For example, theindexer can perform a targeted search or sampling of the events thatsatisfy the filter criteria and the categorization criteria for theselected group, also referred to as the filter criteria corresponding tothe group or filter criteria associated with the group.

In some cases, to provide the additional information, the indexer relieson the inverted index. For example, the indexer can identify the eventreferences associated with the events that satisfy the filter criteriaand the categorization criteria for the selected group and then use theevent reference array 515 to access some or all of the identifiedevents. In some cases, the categorization criteria values orcategorization criteria-value pairs associated with the group becomepart of the filter criteria for the review.

With reference to FIG. 5B for instance, suppose a group is displayedwith a count of six corresponding to event references 4, 5, 6, 8, 10, 11(i.e., event references 4, 5, 6, 8, 10, 11 satisfy the filter criteriaand are associated with matching categorization criteria values orcategorization criteria-value pairs) and a user interacts with the group(e.g., selecting the group, clicking on the group, etc.). In response,the search head communicates with the indexer to provide additionalinformation regarding the group.

In some embodiments, the indexer identifies the event referencesassociated with the group using the filter criteria and thecategorization criteria for the group (e.g., categorization criteriavalues or categorization criteria-value pairs unique to the group).Together, the filter criteria and the categorization criteria for thegroup can be referred to as the filter criteria associated with thegroup. Using the filter criteria associated with the group, the indexeridentifies event references 4, 5, 6, 8, 10, 11.

Based on a sampling criteria, discussed in greater detail above, theindexer can determine that it will analyze a sample of the eventsassociated with the event references 4, 5, 6, 8, 10, 11. For example,the sample can include analyzing event data associated with the eventreferences 5, 8, 10. In some embodiments, the indexer can use the eventreference array 1616 to access the event data associated with the eventreferences 5, 8, 10. Once accessed, the indexer can compile the relevantinformation and provide it to the search head for aggregation withresults from other indexers. By identifying events and sampling eventdata using the inverted indexes, the indexer can reduce the amount ofactual data this is analyzed and the number of events that are accessedin order to generate the summary of the group and provide a response inless time.

2.8. Query Processing

FIG. 6A is a flow diagram of an example method that illustrates how asearch head and indexers perform a search query, in accordance withexample embodiments. At block 602, a search head receives a search queryfrom a client. At block 604, the search head analyzes the search queryto determine what portion(s) of the query can be delegated to indexersand what portions of the query can be executed locally by the searchhead. At block 606, the search head distributes the determined portionsof the query to the appropriate indexers. In some embodiments, a searchhead cluster may take the place of an independent search head where eachsearch head in the search head cluster coordinates with peer searchheads in the search head cluster to schedule jobs, replicate searchresults, update configurations, fulfill search requests, etc. In someembodiments, the search head (or each search head) communicates with amaster node (also known as a cluster master, not shown in FIG. 2) thatprovides the search head with a list of indexers to which the searchhead can distribute the determined portions of the query. The masternode maintains a list of active indexers and can also designate whichindexers may have responsibility for responding to queries over certainsets of events. A search head may communicate with the master nodebefore the search head distributes queries to indexers to discover theaddresses of active indexers.

At block 608, the indexers to which the query was distributed, searchdata stores associated with them for events that are responsive to thequery. To determine which events are responsive to the query, theindexer searches for events that match the criteria specified in thequery. These criteria can include matching keywords or specific valuesfor certain fields. The searching operations at block 608 may use thelate-binding schema to extract values for specified fields from eventsat the time the query is processed. In some embodiments, one or morerules for extracting field values may be specified as part of a sourcetype definition in a configuration file. The indexers may then eithersend the relevant events back to the search head, or use the events todetermine a partial result, and send the partial result back to thesearch head.

At block 610, the search head combines the partial results and/or eventsreceived from the indexers to produce a final result for the query. Insome examples, the results of the query are indicative of performance orsecurity of the IT environment and may help improve the performance ofcomponents in the IT environment. This final result may comprisedifferent types of data depending on what the query requested. Forexample, the results can include a listing of matching events returnedby the query, or some type of visualization of the data from thereturned events. In another example, the final result can include one ormore calculated values derived from the matching events.

The results generated by the system 108 can be returned to a clientusing different techniques. For example, one technique streams resultsor relevant events back to a client in real-time as they are identified.Another technique waits to report the results to the client until acomplete set of results (which may include a set of relevant events or aresult based on relevant events) is ready to return to the client. Yetanother technique streams interim results or relevant events back to theclient in real-time until a complete set of results is ready, and thenreturns the complete set of results to the client. In another technique,certain results are stored as “search jobs” and the client may retrievethe results by referring the search jobs.

The search head can also perform various operations to make the searchmore efficient. For example, before the search head begins execution ofa query, the search head can determine a time range for the query and aset of common keywords that all matching events include. The search headmay then use these parameters to query the indexers to obtain a supersetof the eventual results. Then, during a filtering stage, the search headcan perform field-extraction operations on the superset to produce areduced set of search results. This speeds up queries, which may beparticularly helpful for queries that are performed on a periodic basis.

2.9. Pipelined Search Language

Various embodiments of the present disclosure can be implemented using,or in conjunction with, a pipelined command language. A pipelinedcommand language is a language in which a set of inputs or data isoperated on by a first command in a sequence of commands, and thensubsequent commands in the order they are arranged in the sequence. Suchcommands can include any type of functionality for operating on data,such as retrieving, searching, filtering, aggregating, processing,transmitting, and the like. As described herein, a query can thus beformulated in a pipelined command language and include any number ofordered or unordered commands for operating on data.

Splunk Processing Language (SPL) is an example of a pipelined commandlanguage in which a set of inputs or data is operated on by any numberof commands in a particular sequence. A sequence of commands, or commandsequence, can be formulated such that the order in which the commandsare arranged defines the order in which the commands are applied to aset of data or the results of an earlier executed command. For example,a first command in a command sequence can operate to search or filterfor specific data in particular set of data. The results of the firstcommand can then be passed to another command listed later in thecommand sequence for further processing.

In various embodiments, a query can be formulated as a command sequencedefined in a command line of a search UI. In some embodiments, a querycan be formulated as a sequence of SPL commands. Some or all of the SPLcommands in the sequence of SPL commands can be separated from oneanother by a pipe symbol “|”. In such embodiments, a set of data, suchas a set of events, can be operated on by a first SPL command in thesequence, and then a subsequent SPL command following a pipe symbol “|”after the first SPL command operates on the results produced by thefirst SPL command or other set of data, and so on for any additional SPLcommands in the sequence. As such, a query formulated using SPLcomprises a series of consecutive commands that are delimited by pipe“|” characters. The pipe character indicates to the system that theoutput or result of one command (to the left of the pipe) should be usedas the input for one of the subsequent commands (to the right of thepipe). This enables formulation of queries defined by a pipeline ofsequenced commands that refines or enhances the data at each step alongthe pipeline until the desired results are attained. Accordingly,various embodiments described herein can be implemented with SplunkProcessing Language (SPL) used in conjunction with the SPLUNK®ENTERPRISE system.

While a query can be formulated in many ways, a query can start with asearch command and one or more corresponding search terms at thebeginning of the pipeline. Such search terms can include any combinationof keywords, phrases, times, dates, Boolean expressions, fieldname-fieldvalue pairs, etc. that specify which results should be obtained from anindex. The results can then be passed as inputs into subsequent commandsin a sequence of commands by using, for example, a pipe character. Thesubsequent commands in a sequence can include directives for additionalprocessing of the results once it has been obtained from one or moreindexes. For example, commands may be used to filter unwantedinformation out of the results, extract more information, evaluate fieldvalues, calculate statistics, reorder the results, create an alert,create summary of the results, or perform some type of aggregationfunction. In some embodiments, the summary can include a graph, chart,metric, or other visualization of the data. An aggregation function caninclude analysis or calculations to return an aggregate value, such asan average value, a sum, a maximum value, a root mean square,statistical values, and the like.

Due to its flexible nature, use of a pipelined command language invarious embodiments is advantageous because it can perform “filtering”as well as “processing” functions. In other words, a single query caninclude a search command and search term expressions, as well asdata-analysis expressions. For example, a command at the beginning of aquery can perform a “filtering” step by retrieving a set of data basedon a condition (e.g., records associated with server response times ofless than 1 microsecond). The results of the filtering step can then bepassed to a subsequent command in the pipeline that performs a“processing” step (e.g. calculation of an aggregate value related to thefiltered events such as the average response time of servers withresponse times of less than 1 microsecond). Furthermore, the searchcommand can allow events to be filtered by keyword as well as fieldvalue criteria. For example, a search command can filter out all eventscontaining the word “warning” or filter out all events where a fieldvalue associated with a field “clientip” is “10.0.1.2.”

The results obtained or generated in response to a command in a querycan be considered a set of results data. The set of results data can bepassed from one command to another in any data format. In oneembodiment, the set of result data can be in the form of a dynamicallycreated table. Each command in a particular query can redefine the shapeof the table. In some implementations, an event retrieved from an indexin response to a query can be considered a row with a column for eachfield value. Columns contain basic information about the data and alsomay contain data that has been dynamically extracted at search time.

FIG. 6B provides a visual representation of the manner in which apipelined command language or query operates in accordance with thedisclosed embodiments. The query 630 can be inputted by the user into asearch. The query comprises a search, the results of which are piped totwo commands (namely, command 1 and command 2) that follow the searchstep.

Disk 622 represents the event data in the raw record data store.

When a user query is processed, a search step will precede other queriesin the pipeline in order to generate a set of events at block 640. Forexample, the query can comprise search terms “sourcetype=syslog ERROR”at the front of the pipeline as shown in FIG. 6B. Intermediate resultstable 624 shows fewer rows because it represents the subset of eventsretrieved from the index that matched the search terms“sourcetype=syslog ERROR” from search command 630. By way of furtherexample, instead of a search step, the set of events at the head of thepipeline may be generating by a call to a pre-existing inverted index(as will be explained later).

At block 642, the set of events generated in the first part of the querymay be piped to a query that searches the set of events for field-valuepairs or for keywords. For example, the second intermediate resultstable 626 shows fewer columns, representing the result of the topcommand, “top user” which may summarize the events into a list of thetop 10 users and may display the user, count, and percentage.

Finally, at block 644, the results of the prior stage can be pipelinedto another stage where further filtering or processing of the data canbe performed, e.g., preparing the data for display purposes, filteringthe data based on a condition, performing a mathematical calculationwith the data, etc. As shown in FIG. 6B, the “fields-percent” part ofcommand 630 removes the column that shows the percentage, thereby,leaving a final results table 628 without a percentage column. Indifferent embodiments, other query languages, such as the StructuredQuery Language (“SQL”), can be used to create a query.

2.10. Field Extraction

The search head 210 allows users to search and visualize eventsgenerated from machine data received from homogenous data sources. Thesearch head 210 also allows users to search and visualize eventsgenerated from machine data received from heterogeneous data sources.The search head 210 includes various mechanisms, which may additionallyreside in an indexer 206, for processing a query. A query language maybe used to create a query, such as any suitable pipelined querylanguage. For example, Splunk Processing Language (SPL) can be utilizedto make a query. SPL is a pipelined search language in which a set ofinputs is operated on by a first command in a command line, and then asubsequent command following the pipe symbol “|” operates on the resultsproduced by the first command, and so on for additional commands. Otherquery languages, such as the Structured Query Language (“SQL”), can beused to create a query.

In response to receiving the search query, search head 210 usesextraction rules to extract values for fields in the events beingsearched. The search head 210 obtains extraction rules that specify howto extract a value for fields from an event. Extraction rules cancomprise regex rules that specify how to extract values for the fieldscorresponding to the extraction rules. In addition to specifying how toextract field values, the extraction rules may also include instructionsfor deriving a field value by performing a function on a characterstring or value retrieved by the extraction rule. For example, anextraction rule may truncate a character string or convert the characterstring into a different data format. In some cases, the query itself canspecify one or more extraction rules.

The search head 210 can apply the extraction rules to events that itreceives from indexers 206. Indexers 206 may apply the extraction rulesto events in an associated data store 208. Extraction rules can beapplied to all the events in a data store or to a subset of the eventsthat have been filtered based on some criteria (e.g., event time stampvalues, etc.). Extraction rules can be used to extract one or morevalues for a field from events by parsing the portions of machine datain the events and examining the data for one or more patterns ofcharacters, numbers, delimiters, etc., that indicate where the fieldbegins and, optionally, ends.

FIG. 7A is a diagram of an example scenario where a common customeridentifier is found among log data received from three disparate datasources, in accordance with example embodiments. In this example, a usersubmits an order for merchandise using a vendor's shopping applicationprogram 701 running on the user's system. In this example, the order wasnot delivered to the vendor's server due to a resource exception at thedestination server that is detected by the middleware code 702. The userthen sends a message to the customer support server 703 to complainabout the order failing to complete. The three systems 701, 702, and 703are disparate systems that do not have a common logging format. Theorder application 701 sends log data 704 to the data intake and querysystem in one format, the middleware code 702 sends error log data 705in a second format, and the support server 703 sends log data 706 in athird format.

Using the log data received at one or more indexers 206 from the threesystems, the vendor can uniquely obtain an insight into user activity,user experience, and system behavior. The search head 210 allows thevendor's administrator to search the log data from the three systemsthat one or more indexers 206 are responsible for searching, therebyobtaining correlated information, such as the order number andcorresponding customer ID number of the person placing the order. Thesystem also allows the administrator to see a visualization of relatedevents via a user interface. The administrator can query the search head210 for customer ID field value matches across the log data from thethree systems that are stored at the one or more indexers 206. Thecustomer ID field value exists in the data gathered from the threesystems, but the customer ID field value may be located in differentareas of the data given differences in the architecture of the systems.There is a semantic relationship between the customer ID field valuesgenerated by the three systems. The search head 210 requests events fromthe one or more indexers 206 to gather relevant events from the threesystems. The search head 210 then applies extraction rules to the eventsin order to extract field values that it can correlate. The search headmay apply a different extraction rule to each set of events from eachsystem when the event format differs among systems. In this example, theuser interface can display to the administrator the events correspondingto the common customer ID field values 707, 708, and 709, therebyproviding the administrator with insight into a customer's experience.

Note that query results can be returned to a client, a search head, orany other system component for further processing. In general, queryresults may include a set of one or more events, a set of one or morevalues obtained from the events, a subset of the values, statisticscalculated based on the values, a report containing the values, avisualization (e.g., a graph or chart) generated from the values, andthe like.

The search system enables users to run queries against the stored datato retrieve events that meet criteria specified in a query, such ascontaining certain keywords or having specific values in defined fields.FIG. 7B illustrates the manner in which keyword searches and fieldsearches are processed in accordance with disclosed embodiments.

If a user inputs a search query into search bar 1401 that includes onlykeywords (also known as “tokens”), e.g., the keyword “error” or“warning”, the query search engine of the data intake and query systemsearches for those keywords directly in the event data 722 stored in theraw record data store. Note that while FIG. 7B only illustrates fourevents, the raw record data store (corresponding to data store 208 inFIG. 2) may contain records for millions of events.

As disclosed above, an indexer can optionally generate a keyword indexto facilitate fast keyword searching for event data. The indexerincludes the identified keywords in an index, which associates eachstored keyword with reference pointers to events containing that keyword(or to locations within events where that keyword is located, otherlocation identifiers, etc.). When an indexer subsequently receives akeyword-based query, the indexer can access the keyword index to quicklyidentify events containing the keyword. For example, if the keyword“HTTP” was indexed by the indexer at index time, and the user searchesfor the keyword “HTTP”, events 713 to 715 will be identified based onthe results returned from the keyword index. As noted above, the indexcontains reference pointers to the events containing the keyword, whichallows for efficient retrieval of the relevant events from the rawrecord data store.

If a user searches for a keyword that has not been indexed by theindexer, the data intake and query system would nevertheless be able toretrieve the events by searching the event data for the keyword in theraw record data store directly as shown in FIG. 7B. For example, if auser searches for the keyword “frank”, and the name “frank” has not beenindexed at index time, the DATA INTAKE AND QUERY system will search theevent data directly and return the first event 713. Note that whetherthe keyword has been indexed at index time or not, in both cases the rawdata with the events 712 is accessed from the raw data record store toservice the keyword search. In the case where the keyword has beenindexed, the index will contain a reference pointer that will allow fora more efficient retrieval of the event data from the data store. If thekeyword has not been indexed, the search engine will need to searchthrough all the records in the data store to service the search.

In most cases, however, in addition to keywords, a user's search willalso include fields. The term “field” refers to a location in the eventdata containing one or more values for a specific data item. Often, afield is a value with a fixed, delimited position on a line, or a nameand value pair, where there is a single value to each field name. Afield can also be multivalued, that is, it can appear more than once inan event and have a different value for each appearance, e.g., emailaddress fields. Fields are searchable by the field name or fieldname-value pairs. Some examples of fields are “clientip” for IPaddresses accessing a web server, or the “From” and “To” fields in emailaddresses.

By way of further example, consider the search, “status=404”. Thissearch query finds events with “status” fields that have a value of“404.” When the search is run, the search engine does not look forevents with any other “status” value. It also does not look for eventscontaining other fields that share “404” as a value. As a result, thesearch returns a set of results that are more focused than if “404” hadbeen used in the search string as part of a keyword search. Note alsothat fields can appear in events as “key=value” pairs such as“user_name=Bob.” But in most cases, field values appear in fixed,delimited positions without identifying keys. For example, the datastore may contain events where the “user_name” value always appears byitself after the timestamp as illustrated by the following string:“November 15 09:33:22 johnmedlock.”

The data intake and query system advantageously allows for search timefield extraction. In other words, fields can be extracted from the eventdata at search time using late-binding schema as opposed to at dataingestion time, which was a major limitation of the prior art systems.

In response to receiving the search query, search head 210 usesextraction rules to extract values for the fields associated with afield or fields in the event data being searched. The search head 210obtains extraction rules that specify how to extract a value for certainfields from an event. Extraction rules can comprise regex rules thatspecify how to extract values for the relevant fields. In addition tospecifying how to extract field values, the extraction rules may alsoinclude instructions for deriving a field value by performing a functionon a character string or value retrieved by the extraction rule. Forexample, a transformation rule may truncate a character string, orconvert the character string into a different data format. In somecases, the query itself can specify one or more extraction rules.

FIG. 7B illustrates the manner in which configuration files may be usedto configure custom fields at search time in accordance with thedisclosed embodiments. In response to receiving a search query, the dataintake and query system determines if the query references a “field.”For example, a query may request a list of events where the “clientip”field equals “127.0.0.1.” If the query itself does not specify anextraction rule and if the field is not a metadata field, e.g., time,host, source, source type, etc., then in order to determine anextraction rule, the search engine may, in one or more embodiments, needto locate configuration file 712 during the execution of the search asshown in FIG. 7B.

Configuration file 712 may contain extraction rules for all the variousfields that are not metadata fields, e.g., the “clientip” field. Theextraction rules may be inserted into the configuration file in avariety of ways. In some embodiments, the extraction rules can compriseregular expression rules that are manually entered in by the user.Regular expressions match patterns of characters in text and are usedfor extracting custom fields in text.

In one or more embodiments, as noted above, a field extractor may beconfigured to automatically generate extraction rules for certain fieldvalues in the events when the events are being created, indexed, orstored, or possibly at a later time. In one embodiment, a user may beable to dynamically create custom fields by highlighting portions of asample event that should be extracted as fields using a graphical userinterface. The system would then generate a regular expression thatextracts those fields from similar events and store the regularexpression as an extraction rule for the associated field in theconfiguration file 712.

In some embodiments, the indexers may automatically discover certaincustom fields at index time and the regular expressions for those fieldswill be automatically generated at index time and stored as part ofextraction rules in configuration file 712. For example, fields thatappear in the event data as “key=value” pairs may be automaticallyextracted as part of an automatic field discovery process. Note thatthere may be several other ways of adding field definitions toconfiguration files in addition to the methods discussed herein.

The search head 210 can apply the extraction rules derived fromconfiguration file 1402 to event data that it receives from indexers206. Indexers 206 may apply the extraction rules from the configurationfile to events in an associated data store 208. Extraction rules can beapplied to all the events in a data store, or to a subset of the eventsthat have been filtered based on some criteria (e.g., event time stampvalues, etc.). Extraction rules can be used to extract one or morevalues for a field from events by parsing the event data and examiningthe event data for one or more patterns of characters, numbers,delimiters, etc., that indicate where the field begins and, optionally,ends.

In one more embodiments, the extraction rule in configuration file 712will also need to define the type or set of events that the rule appliesto. Because the raw record data store will contain events from multipleheterogeneous sources, multiple events may contain the same fields indifferent locations because of discrepancies in the format of the datagenerated by the various sources. Furthermore, certain events may notcontain a particular field at all. For example, event 719 also contains“clientip” field, however, the “clientip” field is in a different formatfrom events 713-715. To address the discrepancies in the format andcontent of the different types of events, the configuration file willalso need to specify the set of events that an extraction rule appliesto, e.g., extraction rule 716 specifies a rule for filtering by the typeof event and contains a regular expression for parsing out the fieldvalue. Accordingly, each extraction rule will pertain to only aparticular type of event. If a particular field, e.g., “clientip” occursin multiple events, each of those types of events would need its owncorresponding extraction rule in the configuration file 712 and each ofthe extraction rules would comprise a different regular expression toparse out the associated field value. The most common way to categorizeevents is by source type because events generated by a particular sourcecan have the same format.

The field extraction rules stored in configuration file 712 performsearch-time field extractions. For example, for a query that requests alist of events with source type “access_combined” where the “clientip”field equals “127.0.0.1,” the query search engine would first locate theconfiguration file 712 to retrieve extraction rule 716 that would allowit to extract values associated with the “clientip” field from the eventdata 720 “where the source type is “access_combined. After the“clientip” field has been extracted from all the events comprising the“clientip” field where the source type is “access_combined,” the querysearch engine can then execute the field criteria by performing thecompare operation to filter out the events where the “clientip” fieldequals “127.0.0.1.” In the example shown in FIG. 7B, events 713-715would be returned in response to the user query. In this manner, thesearch engine can service queries containing field criteria in additionto queries containing keyword criteria (as explained above).

The configuration file can be created during indexing. It may either bemanually created by the user or automatically generated with certainpredetermined field extraction rules. As discussed above, the events maybe distributed across several indexers, wherein each indexer may beresponsible for storing and searching a subset of the events containedin a corresponding data store. In a distributed indexer system, eachindexer would need to maintain a local copy of the configuration filethat is synchronized periodically across the various indexers.

The ability to add schema to the configuration file at search timeresults in increased efficiency. A user can create new fields at searchtime and simply add field definitions to the configuration file. As auser learns more about the data in the events, the user can continue torefine the late-binding schema by adding new fields, deleting fields, ormodifying the field extraction rules in the configuration file for usethe next time the schema is used by the system. Because the data intakeand query system maintains the underlying raw data and uses late-bindingschema for searching the raw data, it enables a user to continueinvestigating and learn valuable insights about the raw data long afterdata ingestion time.

The ability to add multiple field definitions to the configuration fileat search time also results in increased flexibility. For example,multiple field definitions can be added to the configuration file tocapture the same field across events generated by different sourcetypes. This allows the data intake and query system to search andcorrelate data across heterogeneous sources flexibly and efficiently.

Further, by providing the field definitions for the queried fields atsearch time, the configuration file 712 allows the record data store 712to be field searchable. In other words, the raw record data store 712can be searched using keywords as well as fields, wherein the fields aresearchable name/value pairings that distinguish one event from anotherand can be defined in configuration file 1402 using extraction rules. Incomparison to a search containing field names, a keyword search does notneed the configuration file and can search the event data directly asshown in FIG. 7B.

It should also be noted that any events filtered out by performing asearch-time field extraction using a configuration file can be furtherprocessed by directing the results of the filtering step to a processingstep using a pipelined search language. Using the prior example, a usercould pipeline the results of the compare step to an aggregate functionby asking the query search engine to count the number of events wherethe “clientip” field equals “127.0.0.1.”

2.11. Example Search Screen

FIG. 8A is an interface diagram of an example user interface for asearch screen 800, in accordance with example embodiments. Search screen800 includes a search bar 802 that accepts user input in the form of asearch string. It also includes a time range picker 812 that enables theuser to specify a time range for the search. For historical searches(e.g., searches based on a particular historical time range), the usercan select a specific time range, or alternatively a relative timerange, such as “today,” “yesterday” or “last week.” For real-timesearches (e.g., searches whose results are based on data received inreal-time), the user can select the size of a preceding time window tosearch for real-time events. Search screen 800 also initially maydisplay a “data summary” dialog as is illustrated in FIG. 8B thatenables the user to select different sources for the events, such as byselecting specific hosts and log files.

After the search is executed, the search screen 800 in FIG. 8A candisplay the results through search results tabs 804, wherein searchresults tabs 804 includes: an “events tab” that may display variousinformation about events returned by the search; a “statistics tab” thatmay display statistics about the search results; and a “visualizationtab” that may display various visualizations of the search results. Theevents tab illustrated in FIG. 8A may display a timeline graph 805 thatgraphically illustrates the number of events that occurred in one-hourintervals over the selected time range. The events tab also may displayan events list 808 that enables a user to view the machine data in eachof the returned events.

The events tab additionally may display a sidebar that is an interactivefield picker 806. The field picker 806 may be displayed to a user inresponse to the search being executed and allows the user to furtheranalyze the search results based on the fields in the events of thesearch results. The field picker 806 includes field names that referencefields present in the events in the search results. The field picker maydisplay any Selected Fields 820 that a user has pre-selected for display(e.g., host, source, sourcetype) and may also display any InterestingFields 822 that the system determines may be interesting to the userbased on pre-specified criteria (e.g., action, bytes, categoryid,clientip, date_hour, date_mday, date_minute, etc.). The field pickeralso provides an option to display field names for all the fieldspresent in the events of the search results using the All Fields control824.

Each field name in the field picker 806 has a value type identifier tothe left of the field name, such as value type identifier 826. A valuetype identifier identifies the type of value for the respective field,such as an “a” for fields that include literal values or a “#” forfields that include numerical values.

Each field name in the field picker also has a unique value count to theright of the field name, such as unique value count 828. The uniquevalue count indicates the number of unique values for the respectivefield in the events of the search results.

Each field name is selectable to view the events in the search resultsthat have the field referenced by that field name. For example, a usercan select the “host” field name, and the events shown in the eventslist 808 will be updated with events in the search results that have thefield that is reference by the field name “host.”

2.12. Data Models

A data model is a hierarchically structured search-time mapping ofsemantic knowledge about one or more datasets. It encodes the domainknowledge used to build a variety of specialized searches of thosedatasets. Those searches, in turn, can be used to generate reports.

A data model is composed of one or more “objects” (or “data modelobjects”) that define or otherwise correspond to a specific set of data.An object is defined by constraints and attributes. An object'sconstraints are search criteria that define the set of events to beoperated on by running a search having that search criteria at the timethe data model is selected. An object's attributes are the set of fieldsto be exposed for operating on that set of events generated by thesearch criteria.

Objects in data models can be arranged hierarchically in parent/childrelationships. Each child object represents a subset of the datasetcovered by its parent object. The top-level objects in data models arecollectively referred to as “root objects.”

Child objects have inheritance. Child objects inherit constraints andattributes from their parent objects and may have additional constraintsand attributes of their own. Child objects provide a way of filteringevents from parent objects. Because a child object may provide anadditional constraint in addition to the constraints it has inheritedfrom its parent object, the dataset it represents may be a subset of thedataset that its parent represents. For example, a first data modelobject may define a broad set of data pertaining to e-mail activitygenerally, and another data model object may define specific datasetswithin the broad dataset, such as a subset of the e-mail data pertainingspecifically to e-mails sent. For example, a user can simply select an“e-mail activity” data model object to access a dataset relating toe-mails generally (e.g., sent or received), or select an “e-mails sent”data model object (or data sub-model object) to access a datasetrelating to e-mails sent.

Because a data model object is defined by its constraints (e.g., a setof search criteria) and attributes (e.g., a set of fields), a data modelobject can be used to quickly search data to identify a set of eventsand to identify a set of fields to be associated with the set of events.For example, an “e-mails sent” data model object may specify a searchfor events relating to e-mails that have been sent, and specify a set offields that are associated with the events. Thus, a user can retrieveand use the “e-mails sent” data model object to quickly search sourcedata for events relating to sent e-mails, and may be provided with alisting of the set of fields relevant to the events in a user interfacescreen.

Examples of data models can include electronic mail, authentication,databases, intrusion detection, malware, application state, alerts,compute inventory, network sessions, network traffic, performance,audits, updates, vulnerabilities, etc. Data models and their objects canbe designed by knowledge managers in an organization, and they canenable downstream users to quickly focus on a specific set of data. Auser iteratively applies a model development tool (not shown in FIG. 8A)to prepare a query that defines a subset of events and assigns an objectname to that subset. A child subset is created by further limiting aquery that generated a parent subset.

Data definitions in associated schemas can be taken from the commoninformation model (CIM) or can be devised for a particular schema andoptionally added to the CIM. Child objects inherit fields from parentsand can include fields not present in parents. A model developer canselect fewer extraction rules than are available for the sourcesreturned by the query that defines events belonging to a model.Selecting a limited set of extraction rules can be a tool forsimplifying and focusing the data model, while allowing a userflexibility to explore the data subset. Development of a data model isfurther explained in U.S. Pat. Nos. 8,788,525 and 8,788,526, bothentitled “DATA MODEL FOR MACHINE DATA FOR SEMANTIC SEARCH”, both issuedon 22 Jul. 2014, U.S. Pat. No. 8,983,994, entitled “GENERATION OF A DATAMODEL FOR SEARCHING MACHINE DATA”, issued on 17 Mar. 2015, U.S. Pat. No.9,128,980, entitled “GENERATION OF A DATA MODEL APPLIED TO QUERIES”,issued on 8 Sep. 2015, and U.S. Pat. No. 9,589,012, entitled “GENERATIONOF A DATA MODEL APPLIED TO OBJECT QUERIES”, issued on 7 Mar. 2017, eachof which is hereby incorporated by reference in its entirety for allpurposes.

A data model can also include reports. One or more report formats can beassociated with a particular data model and be made available to runagainst the data model. A user can use child objects to design reportswith object datasets that already have extraneous data pre-filtered out.In some embodiments, the data intake and query system 108 provides theuser with the ability to produce reports (e.g., a table, chart,visualization, etc.) without having to enter SPL, SQL, or other querylanguage terms into a search screen. Data models are used as the basisfor the search feature.

Data models may be selected in a report generation interface. The reportgenerator supports drag-and-drop organization of fields to be summarizedin a report. When a model is selected, the fields with availableextraction rules are made available for use in the report. The user mayrefine and/or filter search results to produce more precise reports. Theuser may select some fields for organizing the report and select otherfields for providing detail according to the report organization. Forexample, “region” and “salesperson” are fields used for organizing thereport and sales data can be summarized (subtotaled and totaled) withinthis organization. The report generator allows the user to specify oneor more fields within events and apply statistical analysis on valuesextracted from the specified one or more fields. The report generatormay aggregate search results across sets of events and generatestatistics based on aggregated search results. Building reports usingthe report generation interface is further explained in U.S. patentapplication Ser. No. 14/503,335, entitled “GENERATING REPORTS FROMUNSTRUCTURED DATA”, filed on 30 Sep. 2014, and which is herebyincorporated by reference in its entirety for all purposes. Datavisualizations also can be generated in a variety of formats, byreference to the data model. Reports, data visualizations, and datamodel objects can be saved and associated with the data model for futureuse. The data model object may be used to perform searches of otherdata.

FIGS. 9-15 are interface diagrams of example report generation userinterfaces, in accordance with example embodiments. The reportgeneration process may be driven by a predefined data model object, suchas a data model object defined and/or saved via a reporting applicationor a data model object obtained from another source. A user can load asaved data model object using a report editor. For example, the initialsearch query and fields used to drive the report editor may be obtainedfrom a data model object. The data model object that is used to drive areport generation process may define a search and a set of fields. Uponloading of the data model object, the report generation process mayenable a user to use the fields (e.g., the fields defined by the datamodel object) to define criteria for a report (e.g., filters, splitrows/columns, aggregates, etc.) and the search may be used to identifyevents (e.g., to identify events responsive to the search) used togenerate the report. That is, for example, if a data model object isselected to drive a report editor, the graphical user interface of thereport editor may enable a user to define reporting criteria for thereport using the fields associated with the selected data model object,and the events used to generate the report may be constrained to theevents that match, or otherwise satisfy, the search constraints of theselected data model object.

The selection of a data model object for use in driving a reportgeneration may be facilitated by a data model object selectioninterface. FIG. 9 illustrates an example interactive data modelselection graphical user interface 900 of a report editor that maydisplay a listing of available data models 901. The user may select oneof the data models 902.

FIG. 10 illustrates an example data model object selection graphicaluser interface 1000 that may display available data objects 1001 for theselected data object model 902. The user may select one of the displayeddata model objects 1002 for use in driving the report generationprocess.

Once a data model object is selected by the user, a user interfacescreen 1100 shown in FIG. 11A may display an interactive listing ofautomatic field identification options 1101 based on the selected datamodel object. For example, a user may select one of the threeillustrated options (e.g., the “All Fields” option 1102, the “SelectedFields” option 1103, or the “Coverage” option (e.g., fields with atleast a specified % of coverage) 1104). If the user selects the “AllFields” option 1102, all of the fields identified from the events thatwere returned in response to an initial search query may be selected.That is, for example, all of the fields of the identified data modelobject fields may be selected. If the user selects the “Selected Fields”option 1103, only the fields from the fields of the identified datamodel object fields that are selected by the user may be used. If theuser selects the “Coverage” option 1104, only the fields of theidentified data model object fields meeting a specified coveragecriteria may be selected. A percent coverage may refer to the percentageof events returned by the initial search query that a given fieldappears in. Thus, for example, if an object dataset includes 10,000events returned in response to an initial search query, and the“avg_age” field appears in 854 of those 10,000 events, then the“avg_age” field would have a coverage of 8.54% for that object dataset.If, for example, the user selects the “Coverage” option and specifies acoverage value of 2%, only fields having a coverage value equal to orgreater than 2% may be selected. The number of fields corresponding toeach selectable option may be displayed in association with each option.For example, “97” displayed next to the “All Fields” option 1102indicates that 97 fields will be selected if the “All Fields” option isselected. The “3” displayed next to the “Selected Fields” option 1103indicates that 3 of the 97 fields will be selected if the “SelectedFields” option is selected. The “49” displayed next to the “Coverage”option 1104 indicates that 49 of the 97 fields (e.g., the 49 fieldshaving a coverage of 2% or greater) will be selected if the “Coverage”option is selected. The number of fields corresponding to the “Coverage”option may be dynamically updated based on the specified percent ofcoverage.

FIG. 11B illustrates an example graphical user interface screen 1105displaying the reporting application's “Report Editor” page. The screenmay display interactive elements for defining various elements of areport. For example, the page includes a “Filters” element 1106, a“Split Rows” element 1107, a “Split Columns” element 1108, and a “ColumnValues” element 1109. The page may include a list of search results1111. In this example, the Split Rows element 1107 is expanded,revealing a listing of fields 1110 that can be used to define additionalcriteria (e.g., reporting criteria). The listing of fields 1110 maycorrespond to the selected fields. That is, the listing of fields 1110may list only the fields previously selected, either automaticallyand/or manually by a user. FIG. 11C illustrates a formatting dialogue1112 that may be displayed upon selecting a field from the listing offields 1110. The dialogue can be used to format the display of theresults of the selection (e.g., label the column for the selected fieldto be displayed as “component”).

FIG. 11D illustrates an example graphical user interface screen 1105including a table of results 1113 based on the selected criteriaincluding splitting the rows by the “component” field. A column 1114having an associated count for each component listed in the table may bedisplayed that indicates an aggregate count of the number of times thatthe particular field-value pair (e.g., the value in a row for aparticular field, such as the value “BucketMover” for the field“component”) occurs in the set of events responsive to the initialsearch query.

FIG. 12 illustrates an example graphical user interface screen 1200 thatallows the user to filter search results and to perform statisticalanalysis on values extracted from specific fields in the set of events.In this example, the top ten product names ranked by price are selectedas a filter 1201 that causes the display of the ten most popularproducts sorted by price. Each row is displayed by product name andprice 1202. This results in each product displayed in a column labeled“product name” along with an associated price in a column labeled“price” 1206. Statistical analysis of other fields in the eventsassociated with the ten most popular products have been specified ascolumn values 1203. A count of the number of successful purchases foreach product is displayed in column 1204. These statistics may beproduced by filtering the search results by the product name, findingall occurrences of a successful purchase in a field within the eventsand generating a total of the number of occurrences. A sum of the totalsales is displayed in column 1205, which is a result of themultiplication of the price and the number of successful purchases foreach product.

The reporting application allows the user to create graphicalvisualizations of the statistics generated for a report. For example,FIG. 13 illustrates an example graphical user interface 1300 that maydisplay a set of components and associated statistics 1301. Thereporting application allows the user to select a visualization of thestatistics in a graph (e.g., bar chart, scatter plot, area chart, linechart, pie chart, radial gauge, marker gauge, filler gauge, etc.), wherethe format of the graph may be selected using the user interfacecontrols 1302 along the left panel of the user interface 1300. FIG. 14illustrates an example of a bar chart visualization 1400 of an aspect ofthe statistical data 1301. FIG. 15 illustrates a scatter plotvisualization 1500 of an aspect of the statistical data 1301.

2.13. Acceleration Technique

The above-described system provides significant flexibility by enablinga user to analyze massive quantities of minimally-processed data “on thefly” at search time using a late-binding schema, instead of storingpre-specified portions of the data in a database at ingestion time. Thisflexibility enables a user to see valuable insights, correlate data, andperform subsequent queries to examine interesting aspects of the datathat may not have been apparent at ingestion time.

However, performing extraction and analysis operations at search timecan involve a large amount of data and require a large number ofcomputational operations, which can cause delays in processing thequeries. Advantageously, the data intake and query system also employs anumber of unique acceleration techniques that have been developed tospeed up analysis operations performed at search time. These techniquesinclude: (1) performing search operations in parallel across multipleindexers; (2) using a keyword index; (3) using a high performanceanalytics store; and (4) accelerating the process of generating reports.These novel techniques are described in more detail below.

2.13.1. Aggregation Technique

To facilitate faster query processing, a query can be structured suchthat multiple indexers perform the query in parallel, while aggregationof search results from the multiple indexers is performed locally at thesearch head. For example, FIG. 16 is an example search query receivedfrom a client and executed by search peers, in accordance with exampleembodiments. FIG. 16 illustrates how a search query 1602 received from aclient at a search head 210 can split into two phases, including: (1)subtasks 1604 (e.g., data retrieval or simple filtering) that may beperformed in parallel by indexers 206 for execution, and (2) a searchresults aggregation operation 1606 to be executed by the search headwhen the results are ultimately collected from the indexers.

During operation, upon receiving search query 1602, a search head 210determines that a portion of the operations involved with the searchquery may be performed locally by the search head. The search headmodifies search query 1602 by substituting “stats” (create aggregatestatistics over results sets received from the indexers at the searchhead) with “prestats” (create statistics by the indexer from localresults set) to produce search query 1604, and then distributes searchquery 1604 to distributed indexers, which are also referred to as“search peers” or “peer indexers.” Note that search queries maygenerally specify search criteria or operations to be performed onevents that meet the search criteria. Search queries may also specifyfield names, as well as search criteria for the values in the fields oroperations to be performed on the values in the fields. Moreover, thesearch head may distribute the full search query to the search peers asillustrated in FIG. 6A, or may alternatively distribute a modifiedversion (e.g., a more restricted version) of the search query to thesearch peers. In this example, the indexers are responsible forproducing the results and sending them to the search head. After theindexers return the results to the search head, the search headaggregates the received results 1606 to form a single search result set.By executing the query in this manner, the system effectivelydistributes the computational operations across the indexers whileminimizing data transfers.

2.13.2. Keyword Index

As described above with reference to the flow charts in FIG. 5A and FIG.6A, data intake and query system 108 can construct and maintain one ormore keyword indices to quickly identify events containing specifickeywords. This technique can greatly speed up the processing of queriesinvolving specific keywords. As mentioned above, to build a keywordindex, an indexer first identifies a set of keywords. Then, the indexerincludes the identified keywords in an index, which associates eachstored keyword with references to events containing that keyword, or tolocations within events where that keyword is located. When an indexersubsequently receives a keyword-based query, the indexer can access thekeyword index to quickly identify events containing the keyword.

2.13.3. High Performance Analytics Store

To speed up certain types of queries, some embodiments of system 108create a high performance analytics store, which is referred to as a“summarization table,” that contains entries for specific field-valuepairs. Each of these entries keeps track of instances of a specificvalue in a specific field in the events and includes references toevents containing the specific value in the specific field. For example,an example entry in a summarization table can keep track of occurrencesof the value “94107” in a “ZIP code” field of a set of events and theentry includes references to all of the events that contain the value“94107” in the ZIP code field. This optimization technique enables thesystem to quickly process queries that seek to determine how many eventshave a particular value for a particular field. To this end, the systemcan examine the entry in the summarization table to count instances ofthe specific value in the field without having to go through theindividual events or perform data extractions at search time. Also, ifthe system needs to process all events that have a specific field-valuecombination, the system can use the references in the summarizationtable entry to directly access the events to extract further informationwithout having to search all of the events to find the specificfield-value combination at search time.

In some embodiments, the system maintains a separate summarization tablefor each of the above-described time-specific buckets that stores eventsfor a specific time range. A bucket-specific summarization tableincludes entries for specific field-value combinations that occur inevents in the specific bucket. Alternatively, the system can maintain aseparate summarization table for each indexer. The indexer-specificsummarization table includes entries for the events in a data store thatare managed by the specific indexer. Indexer-specific summarizationtables may also be bucket-specific.

The summarization table can be populated by running a periodic querythat scans a set of events to find instances of a specific field-valuecombination, or alternatively instances of all field-value combinationsfor a specific field. A periodic query can be initiated by a user, orcan be scheduled to occur automatically at specific time intervals. Aperiodic query can also be automatically launched in response to a querythat asks for a specific field-value combination.

In some cases, when the summarization tables may not cover all of theevents that are relevant to a query, the system can use thesummarization tables to obtain partial results for the events that arecovered by summarization tables, but may also have to search throughother events that are not covered by the summarization tables to produceadditional results. These additional results can then be combined withthe partial results to produce a final set of results for the query. Thesummarization table and associated techniques are described in moredetail in U.S. Pat. No. 8,682,925, entitled “DISTRIBUTED HIGHPERFORMANCE ANALYTICS STORE”, issued on 25 Mar. 2014, U.S. Pat. No.9,128,985, entitled “SUPPLEMENTING A HIGH PERFORMANCE ANALYTICS STOREWITH EVALUATION OF INDIVIDUAL EVENTS TO RESPOND TO AN EVENT QUERY”,issued on 8 Sep. 2015, and U.S. patent application Ser. No. 14/815,973,entitled “GENERATING AND STORING SUMMARIZATION TABLES FOR SETS OFSEARCHABLE EVENTS”, filed on 1 Aug. 2015, each of which is herebyincorporated by reference in its entirety for all purposes.

To speed up certain types of queries, e.g., frequently encounteredqueries or computationally intensive queries, some embodiments of system108 create a high performance analytics store, which is referred to as a“summarization table,” (also referred to as a “lexicon” or “invertedindex”) that contains entries for specific field-value pairs. Each ofthese entries keeps track of instances of a specific value in a specificfield in the event data and includes references to events containing thespecific value in the specific field. For example, an example entry inan inverted index can keep track of occurrences of the value “94107” ina “ZIP code” field of a set of events and the entry includes referencesto all of the events that contain the value “94107” in the ZIP codefield. Creating the inverted index data structure avoids needing toincur the computational overhead each time a statistical query needs tobe run on a frequently encountered field-value pair. In order toexpedite queries, in most embodiments, the search engine will employ theinverted index separate from the raw record data store to generateresponses to the received queries.

Note that the term “summarization table” or “inverted index” as usedherein is a data structure that may be generated by an indexer thatincludes at least field names and field values that have been extractedand/or indexed from event records. An inverted index may also includereference values that point to the location(s) in the field searchabledata store where the event records that include the field may be found.Also, an inverted index may be stored using well-known compressiontechniques to reduce its storage size.

Further, note that the term “reference value” (also referred to as a“posting value”) as used herein is a value that references the locationof a source record in the field searchable data store. In someembodiments, the reference value may include additional informationabout each record, such as timestamps, record size, meta-data, or thelike. Each reference value may be a unique identifier which may be usedto access the event data directly in the field searchable data store. Insome embodiments, the reference values may be ordered based on eachevent record's timestamp. For example, if numbers are used asidentifiers, they may be sorted so event records having a latertimestamp always have a lower valued identifier than event records withan earlier timestamp, or vice-versa. Reference values are often includedin inverted indexes for retrieving and/or identifying event records.

In one or more embodiments, an inverted index is generated in responseto a user-initiated collection query. The term “collection query” asused herein refers to queries that include commands that generatesummarization information and inverted indexes (or summarization tables)from event records stored in the field searchable data store.

Note that a collection query is a special type of query that can beuser-generated and is used to create an inverted index. A collectionquery is not the same as a query that is used to call up or invoke apre-existing inverted index. In one or more embodiment, a query cancomprise an initial step that calls up a pre-generated inverted index onwhich further filtering and processing can be performed. For example,referring back to FIG. 13, a set of events generated at block 1320 byeither using a “collection” query to create a new inverted index or bycalling up a pre-generated inverted index. A query with severalpipelined steps will start with a pre-generated index to accelerate thequery.

FIG. 7C illustrates the manner in which an inverted index is created andused in accordance with the disclosed embodiments. As shown in FIG. 7C,an inverted index 722 can be created in response to a user-initiatedcollection query using the event data 723 stored in the raw record datastore. For example, a non-limiting example of a collection query mayinclude “collect clientip=127.0.0.1” which may result in an invertedindex 722 being generated from the event data 723 as shown in FIG. 7C.Each entry in inverted index 722 includes an event reference value thatreferences the location of a source record in the field searchable datastore. The reference value may be used to access the original eventrecord directly from the field searchable data store.

In one or more embodiments, if one or more of the queries is acollection query, the responsive indexers may generate summarizationinformation based on the fields of the event records located in thefield searchable data store. In at least one of the various embodiments,one or more of the fields used in the summarization information may belisted in the collection query and/or they may be determined based onterms included in the collection query. For example, a collection querymay include an explicit list of fields to summarize. Or, in at least oneof the various embodiments, a collection query may include terms orexpressions that explicitly define the fields, e.g., using regex rules.In FIG. 7C, prior to running the collection query that generates theinverted index 722, the field name “clientip” may need to be defined ina configuration file by specifying the “access_combined” source type anda regular expression rule to parse out the client IP address.Alternatively, the collection query may contain an explicit definitionfor the field name “clientip” which may obviate the need to referencethe configuration file at search time.

In one or more embodiments, collection queries may be saved andscheduled to run periodically. These scheduled collection queries mayperiodically update the summarization information corresponding to thequery. For example, if the collection query that generates invertedindex 722 is scheduled to run periodically, one or more indexers wouldperiodically search through the relevant buckets to update invertedindex 722 with event data for any new events with the “clientip” valueof “127.0.0.1.”

In some embodiments, the inverted indexes that include fields, values,and reference value (e.g., inverted index 722) for event records may beincluded in the summarization information provided to the user. In otherembodiments, a user may not be interested in specific fields and valuescontained in the inverted index, but may need to perform a statisticalquery on the data in the inverted index. For example, referencing theexample of FIG. 7C rather than viewing the fields within summarizationtable 722, a user may want to generate a count of all client requestsfrom IP address “127.0.0.1.” In this case, the search engine wouldsimply return a result of “4” rather than including details about theinverted index 722 in the information provided to the user.

The pipelined search language, e.g., SPL of the SPLUNK® ENTERPRISEsystem can be used to pipe the contents of an inverted index to astatistical query using the “stats” command for example. A “stats” queryrefers to queries that generate result sets that may produce aggregateand statistical results from event records, e.g., average, mean, max,min, rms, etc. Where sufficient information is available in an invertedindex, a “stats” query may generate their result sets rapidly from thesummarization information available in the inverted index rather thandirectly scanning event records. For example, the contents of invertedindex 722 can be pipelined to a stats query, e.g., a “count” functionthat counts the number of entries in the inverted index and returns avalue of “4.” In this way, inverted indexes may enable various statsqueries to be performed absent scanning or search the event records.Accordingly, this optimization technique enables the system to quicklyprocess queries that seek to determine how many events have a particularvalue for a particular field. To this end, the system can examine theentry in the inverted index to count instances of the specific value inthe field without having to go through the individual events or performdata extractions at search time.

In some embodiments, the system maintains a separate inverted index foreach of the above-described time-specific buckets that stores events fora specific time range. A bucket-specific inverted index includes entriesfor specific field-value combinations that occur in events in thespecific bucket. Alternatively, the system can maintain a separateinverted index for each indexer. The indexer-specific inverted indexincludes entries for the events in a data store that are managed by thespecific indexer. Indexer-specific inverted indexes may also bebucket-specific. In at least one or more embodiments, if one or more ofthe queries is a stats query, each indexer may generate a partial resultset from previously generated summarization information. The partialresult sets may be returned to the search head that received the queryand combined into a single result set for the query

As mentioned above, the inverted index can be populated by running aperiodic query that scans a set of events to find instances of aspecific field-value combination, or alternatively instances of allfield-value combinations for a specific field. A periodic query can beinitiated by a user, or can be scheduled to occur automatically atspecific time intervals. A periodic query can also be automaticallylaunched in response to a query that asks for a specific field-valuecombination. In some embodiments, if summarization information is absentfrom an indexer that includes responsive event records, further actionsmay be taken, such as, the summarization information may generated onthe fly, warnings may be provided the user, the collection queryoperation may be halted, the absence of summarization information may beignored, or the like, or combination thereof.

In one or more embodiments, an inverted index may be set up to updatecontinually. For example, the query may ask for the inverted index toupdate its result periodically, e.g., every hour. In such instances, theinverted index may be a dynamic data structure that is regularly updatedto include information regarding incoming events.

In some cases, e.g., where a query is executed before an inverted indexupdates, when the inverted index may not cover all of the events thatare relevant to a query, the system can use the inverted index to obtainpartial results for the events that are covered by inverted index, butmay also have to search through other events that are not covered by theinverted index to produce additional results on the fly. In other words,an indexer would need to search through event data on the data store tosupplement the partial results. These additional results can then becombined with the partial results to produce a final set of results forthe query. Note that in typical instances where an inverted index is notcompletely up to date, the number of events that an indexer would needto search through to supplement the results from the inverted indexwould be relatively small. In other words, the search to get the mostrecent results can be quick and efficient because only a small number ofevent records will be searched through to supplement the informationfrom the inverted index. The inverted index and associated techniquesare described in more detail in U.S. Pat. No. 8,682,925, entitled“DISTRIBUTED HIGH PERFORMANCE ANALYTICS STORE”, issued on 25 Mar. 2014,U.S. Pat. No. 9,128,985, entitled “SUPPLEMENTING A HIGH PERFORMANCEANALYTICS STORE WITH EVALUATION OF INDIVIDUAL EVENTS TO RESPOND TO ANEVENT QUERY”, filed on 31 Jan. 2014, and U.S. patent application Ser.No. 14/815,973, entitled “STORAGE MEDIUM AND CONTROL DEVICE”, filed on21 Feb. 2014, each of which is hereby incorporated by reference in itsentirety.

2.13.4. Extracting Event Data Using Posting Values

In one or more embodiments, if the system needs to process all eventsthat have a specific field-value combination, the system can use thereferences in the inverted index entry to directly access the events toextract further information without having to search all of the eventsto find the specific field-value combination at search time. In otherwords, the system can use the reference values to locate the associatedevent data in the field searchable data store and extract furtherinformation from those events, e.g., extract further field values fromthe events for purposes of filtering or processing or both.

The information extracted from the event data using the reference valuescan be directed for further filtering or processing in a query using thepipeline search language. The pipelined search language will, in oneembodiment, include syntax that can direct the initial filtering step ina query to an inverted index. In one embodiment, a user would includesyntax in the query that explicitly directs the initial searching orfiltering step to the inverted index.

Referencing the example in FIG. 15, if the user determines that sheneeds the user id fields associated with the client requests from IPaddress “127.0.0.1,” instead of incurring the computational overhead ofperforming a brand new search or re-generating the inverted index withan additional field, the user can generate a query that explicitlydirects or pipes the contents of the already generated inverted index1502 to another filtering step requesting the user ids for the entriesin inverted index 1502 where the server response time is greater than“0.0900” microseconds. The search engine would use the reference valuesstored in inverted index 722 to retrieve the event data from the fieldsearchable data store, filter the results based on the “response time”field values and, further, extract the user id field from the resultingevent data to return to the user. In the present instance, the user ids“frank” and “carlos” would be returned to the user from the generatedresults table 722.

In one embodiment, the same methodology can be used to pipe the contentsof the inverted index to a processing step. In other words, the user isable to use the inverted index to efficiently and quickly performaggregate functions on field values that were not part of the initiallygenerated inverted index. For example, a user may want to determine anaverage object size (size of the requested gif) requested by clientsfrom IP address “127.0.0.1.” In this case, the search engine would againuse the reference values stored in inverted index 722 to retrieve theevent data from the field searchable data store and, further, extractthe object size field values from the associated events 731, 732, 733and 734. Once, the corresponding object sizes have been extracted (i.e.2326, 2900, 2920, and 5000), the average can be computed and returned tothe user.

In one embodiment, instead of explicitly invoking the inverted index ina user-generated query, e.g., by the use of special commands or syntax,the SPLUNK® ENTERPRISE system can be configured to automaticallydetermine if any prior-generated inverted index can be used to expeditea user query. For example, the user's query may request the averageobject size (size of the requested gif) requested by clients from IPaddress “127.0.0.1.” without any reference to or use of inverted index722. The search engine, in this case, would automatically determine thatan inverted index 722 already exists in the system that could expeditethis query. In one embodiment, prior to running any search comprising afield-value pair, for example, a search engine may search though all theexisting inverted indexes to determine if a pre-generated inverted indexcould be used to expedite the search comprising the field-value pair.Accordingly, the search engine would automatically use the pre-generatedinverted index, e.g., index 722 to generate the results without anyuser-involvement that directs the use of the index.

Using the reference values in an inverted index to be able to directlyaccess the event data in the field searchable data store and extractfurther information from the associated event data for further filteringand processing is highly advantageous because it avoids incurring thecomputation overhead of regenerating the inverted index with additionalfields or performing a new search.

The data intake and query system includes one or more forwarders thatreceive raw machine data from a variety of input data sources, and oneor more indexers that process and store the data in one or more datastores. By distributing events among the indexers and data stores, theindexers can analyze events for a query in parallel. In one or moreembodiments, a multiple indexer implementation of the search systemwould maintain a separate and respective inverted index for each of theabove-described time-specific buckets that stores events for a specifictime range. A bucket-specific inverted index includes entries forspecific field-value combinations that occur in events in the specificbucket. As explained above, a search head would be able to correlate andsynthesize data from across the various buckets and indexers.

This feature advantageously expedites searches because instead ofperforming a computationally intensive search in a centrally locatedinverted index that catalogues all the relevant events, an indexer isable to directly search an inverted index stored in a bucket associatedwith the time-range specified in the query. This allows the search to beperformed in parallel across the various indexers. Further, if the queryrequests further filtering or processing to be conducted on the eventdata referenced by the locally stored bucket-specific inverted index,the indexer is able to simply access the event records stored in theassociated bucket for further filtering and processing instead ofneeding to access a central repository of event records, which woulddramatically add to the computational overhead.

In one embodiment, there may be multiple buckets associated with thetime-range specified in a query. If the query is directed to an invertedindex, or if the search engine automatically determines that using aninverted index would expedite the processing of the query, the indexerswill search through each of the inverted indexes associated with thebuckets for the specified time-range. This feature allows the HighPerformance Analytics Store to be scaled easily.

In certain instances, where a query is executed before a bucket-specificinverted index updates, when the bucket-specific inverted index may notcover all of the events that are relevant to a query, the system can usethe bucket-specific inverted index to obtain partial results for theevents that are covered by bucket-specific inverted index, but may alsohave to search through the event data in the bucket associated with thebucket-specific inverted index to produce additional results on the fly.In other words, an indexer would need to search through event datastored in the bucket (that was not yet processed by the indexer for thecorresponding inverted index) to supplement the partial results from thebucket-specific inverted index.

FIG. 7D presents a flowchart illustrating how an inverted index in apipelined search query can be used to determine a set of event data thatcan be further limited by filtering or processing in accordance with thedisclosed embodiments.

At block 742, a query is received by a data intake and query system. Insome embodiments, the query can be received as a user generated queryentered into a search bar of a graphical user search interface. Thesearch interface also includes a time range control element that enablesspecification of a time range for the query.

At block 744, an inverted index is retrieved. Note, that the invertedindex can be retrieved in response to an explicit user search commandinputted as part of the user generated query. Alternatively, the searchengine can be configured to automatically use an inverted index if itdetermines that using the inverted index would expedite the servicing ofthe user generated query. Each of the entries in an inverted index keepstrack of instances of a specific value in a specific field in the eventdata and includes references to events containing the specific value inthe specific field. In order to expedite queries, in most embodiments,the search engine will employ the inverted index separate from the rawrecord data store to generate responses to the received queries.

At block 746, the query engine determines if the query contains furtherfiltering and processing steps. If the query contains no furthercommands, then, in one embodiment, summarization information can beprovided to the user at block 754.

If, however, the query does contain further filtering and processingcommands, then at block 750, the query engine determines if the commandsrelate to further filtering or processing of the data extracted as partof the inverted index or whether the commands are directed to using theinverted index as an initial filtering step to further filter andprocess event data referenced by the entries in the inverted index. Ifthe query can be completed using data already in the generated invertedindex, then the further filtering or processing steps, e.g., a “count”number of records function, “average” number of records per hour etc.are performed and the results are provided to the user at block 752.

If, however, the query references fields that are not extracted in theinverted index, then the indexers will access event data pointed to bythe reference values in the inverted index to retrieve any furtherinformation required at block 756. Subsequently, any further filteringor processing steps are performed on the fields extracted directly fromthe event data and the results are provided to the user at step 758.

2.13.5. Accelerating Report Generation

In some embodiments, a data server system such as the data intake andquery system can accelerate the process of periodically generatingupdated reports based on query results. To accelerate this process, asummarization engine automatically examines the query to determinewhether generation of updated reports can be accelerated by creatingintermediate summaries. If reports can be accelerated, the summarizationengine periodically generates a summary covering data obtained during alatest non-overlapping time period. For example, where the query seeksevents meeting a specified criteria, a summary for the time periodincludes only events within the time period that meet the specifiedcriteria. Similarly, if the query seeks statistics calculated from theevents, such as the number of events that match the specified criteria,then the summary for the time period includes the number of events inthe period that match the specified criteria.

In addition to the creation of the summaries, the summarization engineschedules the periodic updating of the report associated with the query.During each scheduled report update, the query engine determines whetherintermediate summaries have been generated covering portions of the timeperiod covered by the report update. If so, then the report is generatedbased on the information contained in the summaries. Also, if additionalevent data has been received and has not yet been summarized, and isrequired to generate the complete report, the query can be run on theseadditional events. Then, the results returned by this query on theadditional events, along with the partial results obtained from theintermediate summaries, can be combined to generate the updated report.This process is repeated each time the report is updated. Alternatively,if the system stores events in buckets covering specific time ranges,then the summaries can be generated on a bucket-by-bucket basis. Notethat producing intermediate summaries can save the work involved inre-running the query for previous time periods, so advantageously onlythe newer events needs to be processed while generating an updatedreport. These report acceleration techniques are described in moredetail in U.S. Pat. No. 8,589,403, entitled “COMPRESSED JOURNALING INEVENT TRACKING FILES FOR METADATA RECOVERY AND REPLICATION”, issued on19 Nov. 2013, U.S. Pat. No. 8,412,696, entitled “REAL TIME SEARCHING ANDREPORTING”, issued on 2 Apr. 2011, and U.S. Pat. Nos. 8,589,375 and8,589,432, both also entitled “REAL TIME SEARCHING AND REPORTING”, bothissued on 19 Nov. 2013, each of which is hereby incorporated byreference in its entirety for all purposes.

2.14. Security Features

The data intake and query system provides various schemas, dashboards,and visualizations that simplify developers' tasks to createapplications with additional capabilities. One such application is thean enterprise security application, such as SPLUNK® ENTERPRISE SECURITY,which performs monitoring and alerting operations and includes analyticsto facilitate identifying both known and unknown security threats basedon large volumes of data stored by the data intake and query system. Theenterprise security application provides the security practitioner withvisibility into security-relevant threats found in the enterpriseinfrastructure by capturing, monitoring, and reporting on data fromenterprise security devices, systems, and applications. Through the useof the data intake and query system searching and reportingcapabilities, the enterprise security application provides a top-downand bottom-up view of an organization's security posture.

The enterprise security application leverages the data intake and querysystem search-time normalization techniques, saved searches, andcorrelation searches to provide visibility into security-relevantthreats and activity and generate notable events for tracking. Theenterprise security application enables the security practitioner toinvestigate and explore the data to find new or unknown threats that donot follow signature-based patterns.

Conventional Security Information and Event Management (STEM) systemslack the infrastructure to effectively store and analyze large volumesof security-related data. Traditional SIEM systems typically use fixedschemas to extract data from pre-defined security-related fields at dataingestion time and store the extracted data in a relational database.This traditional data extraction process (and associated reduction indata size) that occurs at data ingestion time inevitably hampers futureincident investigations that may need original data to determine theroot cause of a security issue, or to detect the onset of an impendingsecurity threat.

In contrast, the enterprise security application system stores largevolumes of minimally-processed security-related data at ingestion timefor later retrieval and analysis at search time when a live securitythreat is being investigated. To facilitate this data retrieval process,the enterprise security application provides pre-specified schemas forextracting relevant values from the different types of security-relatedevents and enables a user to define such schemas.

The enterprise security application can process many types ofsecurity-related information. In general, this security-relatedinformation can include any information that can be used to identifysecurity threats. For example, the security-related information caninclude network-related information, such as IP addresses, domain names,asset identifiers, network traffic volume, uniform resource locatorstrings, and source addresses. The process of detecting security threatsfor network-related information is further described in U.S. Pat. No.8,826,434, entitled “SECURITY THREAT DETECTION BASED ON INDICATIONS INBIG DATA OF ACCESS TO NEWLY REGISTERED DOMAINS”, issued on 2 Sep. 2014,U.S. Pat. No. 9,215,240, entitled “INVESTIGATIVE AND DYNAMIC DETECTIONOF POTENTIAL SECURITY-THREAT INDICATORS FROM EVENTS IN BIG DATA”, issuedon 15 Dec. 2015, U.S. Pat. No. 9,173,801, entitled “GRAPHIC DISPLAY OFSECURITY THREATS BASED ON INDICATIONS OF ACCESS TO NEWLY REGISTEREDDOMAINS”, issued on 3 Nov. 2015, U.S. Pat. No. 9,248,068, entitled“SECURITY THREAT DETECTION OF NEWLY REGISTERED DOMAINS”, issued on 2Feb. 2016, U.S. Pat. No. 9,426,172, entitled “SECURITY THREAT DETECTIONUSING DOMAIN NAME ACCESSES”, issued on 23 Aug. 2016, and U.S. Pat. No.9,432,396, entitled “SECURITY THREAT DETECTION USING DOMAIN NAMEREGISTRATIONS”, issued on 30 Aug. 2016, each of which is herebyincorporated by reference in its entirety for all purposes.Security-related information can also include malware infection data andsystem configuration information, as well as access control information,such as login/logout information and access failure notifications. Thesecurity-related information can originate from various sources within adata center, such as hosts, virtual machines, storage devices andsensors. The security-related information can also originate fromvarious sources in a network, such as routers, switches, email servers,proxy servers, gateways, firewalls and intrusion-detection systems.

During operation, the enterprise security application facilitatesdetecting “notable events” that are likely to indicate a securitythreat. A notable event represents one or more anomalous incidents, theoccurrence of which can be identified based on one or more events (e.g.,time stamped portions of raw machine data) fulfilling pre-specifiedand/or dynamically-determined (e.g., based on machine-learning) criteriadefined for that notable event. Examples of notable events include therepeated occurrence of an abnormal spike in network usage over a periodof time, a single occurrence of unauthorized access to system, a hostcommunicating with a server on a known threat list, and the like. Thesenotable events can be detected in a number of ways, such as: (1) a usercan notice a correlation in events and can manually identify that acorresponding group of one or more events amounts to a notable event; or(2) a user can define a “correlation search” specifying criteria for anotable event, and every time one or more events satisfy the criteria,the application can indicate that the one or more events correspond to anotable event; and the like. A user can alternatively select apre-defined correlation search provided by the application. Note thatcorrelation searches can be run continuously or at regular intervals(e.g., every hour) to search for notable events. Upon detection, notableevents can be stored in a dedicated “notable events index,” which can besubsequently accessed to generate various visualizations containingsecurity-related information. Also, alerts can be generated to notifysystem operators when important notable events are discovered.

The enterprise security application provides various visualizations toaid in discovering security threats, such as a “key indicators view”that enables a user to view security metrics, such as counts ofdifferent types of notable events. For example, FIG. 17A illustrates anexample key indicators view 1700 that comprises a dashboard, which candisplay a value 1701, for various security-related metrics, such asmalware infections 1702. It can also display a change in a metric value1703, which indicates that the number of malware infections increased by63 during the preceding interval. Key indicators view 1700 additionallydisplays a histogram panel 1704 that displays a histogram of notableevents organized by urgency values, and a histogram of notable eventsorganized by time intervals. This key indicators view is described infurther detail in pending U.S. patent application Ser. No. 13/956,338,entitled “KEY INDICATORS VIEW”, filed on 31 Jul. 2013, and which ishereby incorporated by reference in its entirety for all purposes.

These visualizations can also include an “incident review dashboard”that enables a user to view and act on “notable events.” These notableevents can include: (1) a single event of high importance, such as anyactivity from a known web attacker; or (2) multiple events thatcollectively warrant review, such as a large number of authenticationfailures on a host followed by a successful authentication. For example,FIG. 17B illustrates an example incident review dashboard 1710 thatincludes a set of incident attribute fields 1711 that, for example,enables a user to specify a time range field 1712 for the displayedevents. It also includes a timeline 1713 that graphically illustratesthe number of incidents that occurred in time intervals over theselected time range. It additionally displays an events list 1714 thatenables a user to view a list of all of the notable events that matchthe criteria in the incident attributes fields 1711. To facilitateidentifying patterns among the notable events, each notable event can beassociated with an urgency value (e.g., low, medium, high, critical),which is indicated in the incident review dashboard. The urgency valuefor a detected event can be determined based on the severity of theevent and the priority of the system component associated with theevent.

2.14. Data Center Monitoring

As mentioned above, the data intake and query platform provides variousfeatures that simplify the developers' task to create variousapplications. One such application is a virtual machine monitoringapplication, such as SPLUNK® APP FOR VMWARE® that provides operationalvisibility into granular performance metrics, logs, tasks and events,and topology from hosts, virtual machines and virtual centers. Itempowers administrators with an accurate real-time picture of the healthof the environment, proactively identifying performance and capacitybottlenecks.

Conventional data-center-monitoring systems lack the infrastructure toeffectively store and analyze large volumes of machine-generated data,such as performance information and log data obtained from the datacenter. In conventional data-center-monitoring systems,machine-generated data is typically pre-processed prior to being stored,for example, by extracting pre-specified data items and storing them ina database to facilitate subsequent retrieval and analysis at searchtime. However, the rest of the data is not saved and discarded duringpre-processing.

In contrast, the virtual machine monitoring application stores largevolumes of minimally processed machine data, such as performanceinformation and log data, at ingestion time for later retrieval andanalysis at search time when a live performance issue is beinginvestigated. In addition to data obtained from various log files, thisperformance-related information can include values for performancemetrics obtained through an application programming interface (API)provided as part of the vSphere Hypervisor™ system distributed byVMware, Inc. of Palo Alto, Calif. For example, these performance metricscan include: (1) CPU-related performance metrics; (2) disk-relatedperformance metrics; (3) memory-related performance metrics; (4)network-related performance metrics; (5) energy-usage statistics; (6)data-traffic-related performance metrics; (7) overall systemavailability performance metrics; (8) cluster-related performancemetrics; and (9) virtual machine performance statistics. Suchperformance metrics are described in U.S. patent application Ser. No.14/167,316, entitled “CORRELATION FOR USER-SELECTED TIME RANGES OFVALUES FOR PERFORMANCE METRICS OF COMPONENTS IN ANINFORMATION-TECHNOLOGY ENVIRONMENT WITH LOG DATA FROM THATINFORMATION-TECHNOLOGY ENVIRONMENT”, filed on 29 Jan. 2014, and which ishereby incorporated by reference in its entirety for all purposes.

To facilitate retrieving information of interest from performance dataand log files, the virtual machine monitoring application providespre-specified schemas for extracting relevant values from differenttypes of performance-related events, and also enables a user to definesuch schemas.

The virtual machine monitoring application additionally provides variousvisualizations to facilitate detecting and diagnosing the root cause ofperformance problems. For example, one such visualization is a“proactive monitoring tree” that enables a user to easily view andunderstand relationships among various factors that affect theperformance of a hierarchically structured computing system. Thisproactive monitoring tree enables a user to easily navigate thehierarchy by selectively expanding nodes representing various entities(e.g., virtual centers or computing clusters) to view performanceinformation for lower-level nodes associated with lower-level entities(e.g., virtual machines or host systems). Example node-expansionoperations are illustrated in FIG. 17C, wherein nodes 1733 and 1734 areselectively expanded. Note that nodes 1731-1739 can be displayed usingdifferent patterns or colors to represent different performance states,such as a critical state, a warning state, a normal state or anunknown/offline state. The ease of navigation provided by selectiveexpansion in combination with the associated performance-stateinformation enables a user to quickly diagnose the root cause of aperformance problem. The proactive monitoring tree is described infurther detail in U.S. Pat. No. 9,185,007, entitled “PROACTIVEMONITORING TREE WITH SEVERITY STATE SORTING”, issued on 10 Nov. 2015,and U.S. Pat. No. 9,426,045, also entitled “PROACTIVE MONITORING TREEWITH SEVERITY STATE SORTING”, issued on 23 Aug. 2016, each of which ishereby incorporated by reference in its entirety for all purposes.

The virtual machine monitoring application also provides a userinterface that enables a user to select a specific time range and thenview heterogeneous data comprising events, log data, and associatedperformance metrics for the selected time range. For example, the screenillustrated in FIG. 17D displays a listing of recent “tasks and events”and a listing of recent “log entries” for a selected time range above aperformance-metric graph for “average CPU core utilization” for theselected time range. Note that a user is able to operate pull-down menus1742 to selectively display different performance metric graphs for theselected time range. This enables the user to correlate trends in theperformance-metric graph with corresponding event and log data toquickly determine the root cause of a performance problem. This userinterface is described in more detail in U.S. patent application Ser.No. 14/167,316, entitled “CORRELATION FOR USER-SELECTED TIME RANGES OFVALUES FOR PERFORMANCE METRICS OF COMPONENTS IN ANINFORMATION-TECHNOLOGY ENVIRONMENT WITH LOG DATA FROM THATINFORMATION-TECHNOLOGY ENVIRONMENT”, filed on 29 Jan. 2014, and which ishereby incorporated by reference in its entirety for all purposes.

3. Extended Reality Overlays In An Industrial Environment

As described above, one problem with the conventional approaches formonitoring and/or servicing machines in a particular operatingenvironment is that a user may have difficulty locating a physicalmachine for which information is sought. Additionally, once a user haslocated a particular machine, the user may not be able to determine astatus of that machine.

Accordingly, in various embodiments disclosed herein, optical datamarkers may be implemented to enable machines to be quickly and reliablyidentified. Further, data stored in association with an optical datamarker may be used to overlay relevant information onto the machine.Alternatively, if an optical data marker is unavailable for a particularmachine, a geofence in which the machine is located may be determined.The machine may then be identified based on a listing of known machinesincluded in the geofence as well as based on visual and/or auditory datathat is acquired from the machine. These techniques are described belowin further detail in conjunction with FIGS. 18A-34.

3.1. Optical Data Marker-Based Extended Reality Techniques

FIG. 18A illustrates a more detailed view of the example networkedcomputer environment 100 of FIG. 1, in accordance with exampleembodiments. As shown, the networked computer environment 1800 mayinclude, without limitation, a data intake and query system 108, and aclient device 404 (also referred to herein as a mobile device)communicating with one another over one or more networks 420. The dataintake and query system 108 and client device 404 function substantiallythe same as described in conjunction with FIGS. 1 and 4, except asfurther described herein. Examples of client devices 404 may include,without limitation, smartphones, tablet computers, handheld computers,wearable devices, laptop computers, desktop computers, servers, portablemedia players, gaming devices, and so forth. The client device 404 mayinclude, without limitation, a processor 1802, storage 1804, aninput/output (I/O) device interface 1806, a network interface 1808, aninterconnect 1810, and a system memory 1812.

In general, processor 1802 may retrieve and execute programminginstructions stored in system memory 1812. Processor 1802 may be anytechnically feasible form of processing device configured to processdata and execute program code. Processor 1802 could be, for example, acentral processing unit (CPU), a graphics processing unit (GPU), anapplication-specific integrated circuit (ASIC), a field-programmablegate array (FPGA), and so forth. Processor 1802 stores and retrievesapplication data residing in the system memory 1812. Processor 1802 isincluded to be representative of a single CPU, multiple CPUs, a singleCPU having multiple processing cores, and the like. In operation,processor 1802 is the master processor of the client device 404,controlling and coordinating operations of other system components.System memory 1812 stores software application programs and data for useby processor 1802. Processor 1802 executes software application programsstored within system memory 1812 and optionally an operating system. Inparticular, processor 1802 executes software and then performs one ormore of the functions and operations set forth in the presentapplication.

The storage 1804 may be a disk drive storage device. Although shown as asingle unit, the storage 1804 may be a combination of fixed and/orremovable storage devices, such as fixed disc drives, floppy discdrives, tape drives, removable memory cards, or optical storage, networkattached storage (NAS), or a storage area-network (SAN). Processor 1802communicates to other computing devices and systems via networkinterface 1808, where network interface 1808 is configured to transmitand receive data via one or more communications networks 420.

The interconnect 1810 facilitates transmission, such as of programminginstructions and application data, between the processor 1802,input/output (I/O) devices interface 1806, storage 1804, networkinterface 1808, and system memory 1812. The I/O devices interface 1806is configured to receive input data from user I/O devices. These I/Odevices include, without limitation, camera(s) 1820, location sensor(s)1822, a display device 1824, and microphone(s) 1826. Display device 1824generally represents any technically feasible means for generating animage for display. For example, the display device may be a liquidcrystal display (LCD) display, organic light emitting diode (OLED)display, or DLP display. Camera 1820 acquires images via a lens andconverts the images into digital form. The images acquired by the camera1820 may be stored in storage 1804 and/or system memory 1812. Anacquired image may be displayed on the display device 1824, either aloneor in conjunction with one or more other acquired images, graphicaloverlays, and/or other data.

Location sensor 1822 enables client device 404 to determine the physicallocation and orientation of client device 404. In some embodiments,location sensor 1822 may include a network-based sensor thatcommunicates with data intake and query system 108 via one or morenetwork(s) 420, which may be part of a production monitoring network. Insome embodiments, location sensor 1822 may include a network-basedsensor that communicates with one or more data intake and query systemsvia a local area network and/or a wide area network. In variousembodiments, the production monitoring environment may include multiplemachines and/or multiples client devices 404, each of which maycommunicate with a data intake and query system and each of which iscapable of identifying one or more machines based on optical datamarkers, geofences, and/or any other machine identification techniquedisclosed herein. Microphone 1826 acquires audio signals for storage andanalysis. Additional examples of user I/O devices (not explicitly shown)may include one or more buttons, a keyboard, and a mouse or otherpointing device. The I/O devices interface 1806 may also include anaudio output unit configured to generate an electrical audio outputsignal, and the additional user I/O devices may further include aspeaker configured to generate an acoustic output in response to theelectrical audio output signal.

The system memory 1812 may include, without limitation, an extendedreality application 1814 and a database 1816. Processor 1802 executesthe extended reality application 1814, to perform one or more of thetechniques disclosed herein and to store data in and retrieve data fromdatabase 1816.

FIG. 18B illustrates a network architecture 1801 that enables securecommunications between extended reality application 1814 and anon-premises environment 1860 for data intake and query system 108, inaccordance with example embodiments. As described above, a user mayinstall and configure, on computing devices owned and operated by theuser, one or more software applications that implement some or all ofthe data intake and query system 108. For example, a user may install asoftware application on server computers owned by the user and configureeach server to operate as one or more of a forwarder, an indexer, asearch head, etc. This arrangement generally may be referred to as an“on-premises” solution. An on-premises solution may provide a greaterlevel of control over the configuration of certain aspects of the system(e.g., security, privacy, standards, controls, etc.).

Implementing data intake and query system 108 in an on-premisesenvironment 1860 may present various challenges. For example, enablinginstances of extended reality application 1814 executing on clientdevices 404 to securely communicate with data intake and query system108 may require the on-premises environment 1860 to allow mobileapplications to bypass a firewall, which may create security concerns.Accordingly, in various embodiments, cloud-based data intake and querysystem 306 executing in cloud environment 1850 may serve as a securebridge between extended reality application 1814 and an on-premisesenvironment 1860. In other implementations, the on-premises environment1860 may be omitted and the entire computational process may be carriedout in one or more aspects or components of cloud environment 1850.

As shown in FIG. 18B, cloud environment 1850 may include cloud-baseddata intake and query system 306, which communicates with data intakeand query system 108 via network 304. Cloud environment 1850 may furtherinclude middleware code 1852 and/or push notification service 1854,which communicate with extended reality application 1814 via network420. In various embodiments, network 304 and network 420 may be the samenetwork or may include one or more shared network components thatcommunicate with both network 304 and network 420.

In operation, extended reality application 1814 executing on clientdevice 404 may establish secure, bidirectional communications with dataintake and query system 108. For example, in some embodiments, apersistent, always-open, asynchronous socket for bidirectionalcommunications (e.g., a WebSocket connection) through a firewall ofon-premises environment 1860 could be established between data intakeand query system 108 and cloud-based data intake and query system 306.Cloud-based data intake and query system 306 may then communicate withextended reality application 1814 via middleware code 1852 executing incloud environment 1850. Additionally, in some embodiments, cloud-baseddata intake and query system 306 and/or middleware code 1852 maycommunicate with extended reality application 1814 via a pushnotification service 1854, such as Apple Push Notification service(APNs) or Google Cloud Messaging (GCM). For example, data intake andquery system 108 could output, to one or more client devices 404,various schemas, dashboards, playbooks, runbooks, cards, and/orvisualizations that include real-time data associated with a particularmachine. The schemas, dashboards, cards, and/or visualizations may thenbe overlaid with the real-world component by extended realityapplication 1814 in conjunction with an optional mobile template, asdiscussed below in further detail. Additionally or alternatively,playbooks and/or runbooks that include set of commands and/or simplelogic trees (e.g., if-then-else) associated with an object and possibleactions (e.g., “if the operating temperature is above 100 degreescelsius, then show options for activating fans) may be implementedand/or displayed to the user.

In some embodiments, in order to authenticate an instance of extendedreality application 1814 associated with a particular user and/or clientdevice 404, extended reality application 1814 may cause a uniqueidentifier associated with the user and/or client device 404 to bedisplayed on a display device (e.g., on a display of client device 404).The user may then register the unique identifier with cloud-based dataintake and query system 306 and/or data intake and query system 108,such as by entering the unique identifier into a user interface (e.g., aweb portal) associated with cloud-based data intake and query system 306or data intake and query system 108. In response, the extended realityapplication 1814 may receive credentials that can be used to accessreal-time data outputted by data intake and query system 108. Additionalqueries transmitted by client device 404 to data intake and query system108 may then implement the credentials associated with the uniqueidentifier. In this manner, secure, bidirectional communications may beestablished between client device 404 and data intake and query system108.

Once the communications connection is established, a technician points acamera 1820 of client device 404 towards one or more machines thatinclude optical data markers, such as quick response (QR) codes and barcodes. Extended reality application 1814 receives a digital imageacquired via a camera 1820 associated with client device 404. Extendedreality application 1814 then detects optical data markers present inthe digital image. For example, extended reality application 1814 coulddetect a single optical data marker or could concurrently detectmultiple optical data markers present in the digital image. Extendedreality application 1814 then decodes the detected optical data markersand identifies the machines that are associated with the decoded opticaldata markers. More specifically, extended reality application 1814decodes the detected optical data markers and retrieves a uniqueidentifier (UID) from each optical data marker. In some embodiments, theunique identifier may identify a corresponding machine or other object.In some embodiments, the unique identifier may not specifically identifya corresponding machine or other object. In these embodiments, extendedreality application 1814 and/or data intake and query system 108 mayassociate the unique identifier retrieved from the optical data markerwith the machine or other object.

Further, extended reality application 1814 may determine the size,three-dimensional position, and/or orientation of the optical datamarker. The size of the optical data marker may be a fixed size known toextended reality application 1814. Additionally or alternatively, thesize of the optical data marker may be encoded into the data of theoptical data marker. Further, extended reality application 1814 maydetect the plane in which the optical data marker resides. As furtherdescribed herein, extended reality application 1814 could then apply thesize, position, orientation, and/or plane detection information tocorrectly scale, position, and orient the AR overlay associated with theoptical data marker.

Next, extended reality application 1814 transmits queries to data intakeand query system 108 requesting values for metrics associated with theidentified machines. In response, data intake and query system 108 mayretrieve events associated with the identified machines and useextraction rules to extract values for fields in the events beingsearched, where the extracted values include the requested metricvalues. Then, data intake and query system 108 transmits the fieldvalues associated with the identified machines to extended realityapplication 1814. Data intake and query system 108 may transmit the rawdata retrieved from the field values included in the event data.Alternatively, data intake and query system 108 may filter, aggregate,or otherwise process the raw data prior to transmitting the fieldvalues.

The field values transmitted by data intake and query system 108 may bein any technically feasible format. In one example, the field valuescould include an augmented reality (AR) overlay. The AR overlay could bea full graphics overlay or a partial overlay. The AR overlay couldinclude text data, numerical data, and/or color information. The ARoverlay could further include icon data, such as a skull and crossbonessymbol for a machine that has failed. The AR overlay could include ahighlighted portion, signifying information of particular interest tothe technician. Further, the field values could include only theunderlying textual and/or numerical information, where extended realityapplication 1814 generates the AR overlay locally based on theunderlying textual and/or numerical information. The AR overlay can bestatic or dynamically updated. In some implementations, the AR overlaycan include interactive hooks to allow an operator of the system tointeract with the AR overlay.

Although various embodiments disclosed herein are described inconjunction with augmented reality (AR) techniques (e.g., generating ARoverlays), each augmented reality technique also may be implemented in avirtual reality (VR) environment. Likewise, each virtual reality (VR)technique disclosed herein also may be implemented in an augmentedreality (AR) environment. For example, for clarity of explanation,various embodiments disclosed herein are described in conjunction withAR overlays. However, each of these embodiments could also beimplemented by generating such overlays (e.g., field values, images,dashboards, cards, etc.) in a virtual reality (VR) environment.Accordingly, the term extended reality (XR) is sometimes used to referto techniques that can be performed in an augmented reality (AR) realityenvironment, a virtual reality (VR) environment, and/or any combinationthereof.

Extended reality application 1814 then receives the field values fromdata intake and query system 108, where the field values represent thevalues of one or more metrics associated with the identified machines.In an implementation, the field values are extracted from fields thatare defined post-ingestion, e.g., at search time, as has been previouslydescribed, e.g., with a late-binding schema. Extended realityapplication 1814 generates an AR overlay, where the overlay is avisualization of the field values.

In various embodiments, extended reality application 1814 superimposesthe AR overlay onto the image(s) acquired via the camera 1820. Forexample, the AR overlay could be overlaid at a position relative to thecorresponding optical data marker, such as on top of the optical datamarker and/or next to the optical data marker. Extended realityapplication 1814 then causes the images superimposed with the AR overlayto be displayed on the display device 1824. In some embodiments,extended reality application 1814 may cause the AR overlay to bedisplayed on the display device 1824, without displaying the acquiredimage. In general, extended reality application 1814 superimposes the ARoverlay based on any one or more of one or more determined dimensionsand/or positions of the machine or other object, the known size of theoptical data marker, the three-dimensional location and/or orientationof the optical data marker, and the detected plane of the optical datamarker.

In some embodiments, extended reality application 1814 may receiveadditional information from data intake and query system 108 and maydisplay the additional information on the display device 1824. Thisadditional information may be in any technically feasible format. Forexample, data intake and query system 108 could transmit variousschemas, dashboards, cards, playbooks, runbooks, and/or visualizationsthat include data, including real-time data (e.g., near real-time data)associated with a particular machine. The schemas, dashboards, cards,playbooks, runbooks, and/or visualizations may then be overlaid with thereal-world component by extended reality application 1814 in conjunctionwith an optional mobile template, as discussed below in further detail.

After superimposing the AR overlay, along with any appropriate schemas,dashboards, cards, playbooks, runbooks, and/or other visualizations,onto the image(s) acquired via the camera 1820, extended realityapplication 1814 may store the enhanced image in an enhanced image datastore and/or in a memory associated with a processor (e.g., a memory ofa central processing unit, graphics processing unit, etc.). In someembodiments, the enhanced image data store may be stored within database1816. In some embodiments, extended reality application 1814superimposes the AR overlay, along with any appropriate schemas,dashboards, cards, playbooks, runbooks, and/or other visualizations ontoa virtual reality scene rather than onto an image acquired from thecamera 1820. In such embodiments, the images stored in the enhancedimage data store represent virtual reality (VR) images augmented with ARoverlays, rather than acquired images augmented with AR overlays.

In some embodiments, extended reality application 1814 may generate abounding box associated with the optical data marker and/or theassociated machine or other object. Extended reality application 1814may generate such a bounding box based on any of the data describedabove, such as size, position, orientation, and plane information of theoptical data marker and/or the associated machine or other object. Insuch embodiments, extended reality application 1814 may employ thebounding box to scale (e.g., based on a scaling factor) the 2D or 3Dmodel of the machine when generating the AR overlay. The boundary boxinformation may be stored in the data of the optical data marker.Additionally or alternatively, extended reality application 1814 maygenerate the bounding box locally. Further, extended reality application1814 may paint-fill one or more boundaries of the bounding box. Such apaint-filled bounding box may be employed as a rough 2D or 3D model ofthe machine in lieu of a more detailed 2D or 3D model.

In general, extended reality application 1814 acquires images, decodesoptical data markers, receives field values extracted from events,generates schemas, dashboards, cards, and/or visualizations, generatesAR overlays based on the field values, and causes the schemas,dashboards, cards, playbooks, runbooks, visualizations, and/or ARoverlays to be displayed in a continuous manner as the camera 1820 ispointed at different machines in the industrial environment. In thismanner, a technician may walk through an industrial environment andvisually determine the status of the machines in that environment. Forexample, the technician may be able to quickly identify any machinesthat need attention, repair, or replacement. In one example, the ARoverlay could display the operating temperature, CPU utilization, and/ormemory utilization for a particular machine. By pointing the camera 1820at the machine, the technician would then see the AR overlay, enablingthe technician to visually determine whether the machine is operating atan excessive temperature or outside of a normal range of CPU or memoryutilization. In another example, the AR overlay could display therevolutions per minute (RPM) of each of three fans included in aparticular machine. The technician could then identify and locate aparticular fan that has failed. Similarly, the AR overlay could displayan operating temperature of each of two CPUs for a particular machine.The technician could then identify and locate a particular CPU that isoperating at an excessive temperature.

In some embodiments, extended reality application 1814 further receivesa two-dimensional (2D) or three-dimensional (3D) model of the machinesidentified via the optical data markers. The 2D or 3D model may be asimple outline, such as a border around a front panel or bezel of themachine. Alternatively, the 2D or 3D model may be a complex shaperepresenting the housing of the machine. In some embodiments, extendedreality application 1814 may receive the 2D or 3D model from data intakeand query system 108. Additionally or alternatively, the 2D or 3D modelmay be encoded in the optical data marker. In the latter case, extendedreality application 1814 decodes the optical data marker and retrievesthe 2D or 3D model from the decoded data.

Once a 2D or 3D model is acquired, extended reality application 1814calculates the size and/or the plane of the optical data marker in theacquired image. This can be done through a variety of plane detectiontechniques, some of which may leverage an arrangement of the opticaldata marker, e.g., a positioning or arrangements of certain portions ofa QR code. In other implementations, e.g., when the optical data markeris attached to a fixed object, this information may be coded into theoptical data marker. Extended reality application 1814 them compares thesize and/or the plane of the optical data marker in the acquired imagewith the actual size of the optical data marker. Extended realityapplication 1814 may then scale and orient the model based on thecomparison. When generating the AR overlay for a particular machine,extended reality application 1814 includes the scaled and oriented modelin the AR overlay.

In some embodiments, extended reality application 1814 may be configuredto generate a boundary or outline from measurements taken of a machineor other object of interest and store a 3D model of the machine based onthe boundary or outline. In operation, a technician or may point thecamera 1820 of the client device 404 at a machine or other physicalobject of interest. Extended reality application 1814 may display animage of the machine along with an AR measuring tape or othermeasurement tool. In various implementations, extended realityapplication 1814 may leverage other sensors of the client device 404, inaddition to camera 1820, to assist in measurements of the object ofinterest, e.g., an accelerometer, a gyroscope, and a compass. Thetechnician may manipulate the AR measuring tape along the outside of themachine to measure key dimensions of the machine. Extended realityapplication 1814 may also aid the technician in locating key coordinatesof the machine, such as the location of the corners of an enclosure orhousing associated with the machine.

Once the technician completes the scan, extended reality application1814 may generate a rough outline of the machine based on the keydimensions and key coordinates of the machine. This rough outline may beused as a general or inexact 3D model that approximates a graphicalbounding box surrounding the enclosure or housing of the machine.Extended reality application 1814 may further generate plane data thatdefines the planar surfaces of the enclosure or housing. In variousimplementations, extended reality application 1814 may offload some ofthe intermediate processing steps of generating the 3D model to serveror cloud-based resources. The 3D model may be in any technicallyfeasible format, including, without limitation, a scalable vectorgraphics (SVG) model or a polygonal mesh model. Extended realityapplication 1814 may store the 3D model and the plane data in thedatabase 1816. Further, extended reality application 1814 may transmitthe 3D model and plane data to data intake and query system 108 forstorage. Additionally or alternatively, extended reality application1814 may store the 3D model in the optical data marker associated withthe machine. In another implementation, extended reality application1814 may generate a new or additional optical data marker that includesthe 3D model or a reference (e.g., a pointer, link, address, etc.) to alocation of the 3D model.

Later, when a technician points the camera 1820 at the optical datamarker, extended reality application 1814 retrieves the 3D model encodedinto the optical data marker. Alternatively, extended realityapplication 1814 retrieves the unique identifier encoded into theoptical data marker. Extended reality application 1814 then retrievesthe 3D model associated with the unique identifier from either database1816 or from data intake and query system 108. Further, the roughoutline 3D model and/or the plane data for a given machine can beassociated, either through best-fit matching, a machine learningalgorithm, human intervention, or some combination thereof, with ahigher-resolution, more complex 3D model, such as a 3D model of themachine generated by a computer aided design (CAD) application program.When generating the AR overlay for the machine associated with theoptical data marker, extended reality application 1814 includes eitherthe rough outline 3D model or the complex 3D model as part of the ARoverlay. In other implementations, various techniques may be applied tothe 3D model to increase or decrease the amount of space and/orresources required to store and/or render the 3D model as part of theoverlay in the extended reality environment.

In addition, when a technician points the camera 1820 at a new machinethat includes an optical data marker, extended reality application 1814may detect plane data of the new machine. Extended reality application1814 may then implement the plane data in order to determine how a 2D or3D model of the machine will be positioned, oriented, scaled, etc.

In some embodiments, extended reality application 1814 may be configuredto scan the boundary or outline of a machine or other object of interestand store a 3D model of the machine based on the boundary or outline. Inoperation, a technician or operator may point the camera 1820 of theclient device 404 at a machine or other physical object of interest.Extended reality application 1814 may display an image of the machine.Extended reality application 1814 may detect an optical data markerassociated with the machine and may determine that the correspondingmachine has no corresponding 2D or 3D model. Extended realityapplication 1814 may then analyze images acquired via the camera 1820 toscan the machine and to perform an edge detection process. Based on thescan and edge detection, extended reality application 1814 may generatea boundary of a portion of the machine. In an implementation, thisboundary may be highlighted or emphasized to the technician or otheroperator through various techniques, including using a paint-fillprocess, which will be described in more detail herein. Other techniquesfor drawing boundaries and allowing users to select them may beimplemented instead of the paint-fill process. Thus, extended realityapplication 1814 may perform a paint-fill on the boundary to fill theboundary or outline with a color. Extended reality application 1814 mayrepeat the edge detection and paint-fill processes to generate a set ofconcentric or overlapping paint-filled boundaries. Extended realityapplication 1814 may further generate plane data that defines a planarsurface of the paint-filled boundaries.

Once a set of paint-filled boundaries is generated, extended realityapplication 1814 may receive a selection of one of the boundaries.Typically, extended reality application 1814 displays the set ofpaint-filled boundaries, and the technician selects a boundary that mostclosely matches a contour of the machine, however other techniques couldbe implemented for narrowing down the set of paint-filled boundaries,including application of training data for similar sets. Extendedreality application 1814 may optionally thicken the border of theselected boundary. The technician may repeat the process set forth aboveat different view angles, and extended reality application 1814 maygenerate a series of boundaries and corresponding plane data of themachine at different view angles. Extended reality application 1814 maythen generate a 3D model, such as a 3D texture bitmask, based on theseries of boundaries and corresponding plane data. Additionally oralternatively, extended reality application 1814 may generate an SVGmodel or polygon mesh model of the machine. Extended reality application1814 may then store the 3D model in database 1814 and/or transmit the 3Dmodel to data intake and query system 108.

Later, when a technician points the camera 1820 at the optical datamarker, extended reality application 1814 retrieves the 3D model anddisplays the 3D model as part of the AR overlay, in the manner describedabove. In addition, when a technician points the camera 1820 at a newmachine that includes an optical data marker, extended realityapplication 1814 may detect plane data of the new machine and retrievean existing 3D model with matching plane data, as described above.

It will be appreciated that the system shown herein is illustrative andthat variations and modifications are possible. In one example, theoptical data markers described herein are in the form of QR codes. EachQR code may store up to approximately four kilobytes of data. However,any form of marker or code that includes a unique identifier for eachmachine in an industrial environment is within the scope of the presentdisclosure.

4. Trusted Tunnel Bridge Service

As described above, one problem with conventional approaches formonitoring and/or servicing machines in a particular operatingenvironment is that the device that displays the performance metrics maybe separated by firewall from the one or more applications that computethe performance metrics. As a result, the firewall may blockcommunications between the device and the application such that thedevice cannot receive the performance metrics.

Accordingly, in various embodiments disclosed herein, a trusted tunnelbridge service may be implemented to enable the application thatcomputes performance metrics to communicate with a device that receivesthe performance metrics without opening a port in a firewall included ina network. The trusted tunnel bridge service establishes separateWebSocket connections with a source application located in a givennetwork and a destination device located in a different network. Thetrusted tunnel bridge service enables end-to-end encryption (E2EE) ofcommunications between the source application and destination device byreceiving encrypted data packets originating from the source applicationthrough one WebSocket connection and then sending the encrypted datapacket to the destination device through a different WebSocketconnection. These techniques are described below in further detail inconjunction with FIGS. 19-23.

4.1. Trusted Tunnel Bridge Service System

FIG. 19 is a block diagram 1900 of a more detailed view of an examplenetworked computer environment 100 of FIG. 1, in accordance with exampleembodiments. As shown, the networked computer environment 1900 mayinclude, without limitation, a first network 1910 that includes a sourceapplication 1912, a second network 1920 that includes a destinationdevice 1922, a tunnel bridge 1930, and a database 1940 that includes akey store 1942 and a routing table 1944. During operation, tunnel bridge1930 operates as a trusted tunnel bridge service that establishesWebSocket connections 1952 and 1954. The trusted tunnel bridge serviceprovides end-to-end encryption (E2EE) of communications between thesource application 1912 and the destination device 1922 by transmittingone or more encrypted data packets 1918 between the source application1912 and the destination device 1922.

Network 1910 can be a communications network, such as a local areanetwork (LAN), wide area network (WAN), cellular network (e.g., LTE,HSPA, 3G, 4G, and/or any other network based on cellular technologies),and/or networks using any of wired, wireless, terrestrial microwave, orsatellite links. In some embodiments, the network 1910 may be a networkthat includes one or more components that enable a cloud-based service.As discussed above in relation to FIG. 3, the cloud-based service is aservice hosted by one or more computing resources that are accessible tothe destination device 1922 through the network 1910.

In some embodiments, a firewall may be present between one or moredevices in the network 1910 and other devices, including the tunnelbridge 1930 and/or the destination device 1922 within the second network1920. In some embodiments, the tunnel bridge 1930 and/or the database1940 may be included in the second network 1920. In some embodiments,the network 1910 includes one or more computing resources executing thesource application 1912, and a field-searchable data store (not shown)that stores raw machine data.

Source application 1912 may be an application executed by one or morecomputing resources within the network 1910. In some embodiments, thesource application 1912 may be an application that generates, computes,and/or collects performance metrics associated with machines within thesecond network 1920. In various embodiments, the source application 1912may be an application that implements the data intake and query system108 that retrieves data by querying a field-searchable data storeincluded in the network 1910. For example, the source application 1912may be an instance of the SPLUNK® ENTERPRISE system, an applicationwithin the cloud-based environment, such as SPLUNK CLOUD™, anapplication for a self-service cloud, or another deployment of anapplication that implements the Splunk processing language (SPL).

Data packet 1918 is a formatted unit of data carried through the network1910 and/or the network 1920. In some embodiments, one or more of thesource application 1912 and the destination device 1922 may generate oneor more data packets 1918. Each data packet 1918 includes payload data1914 and a destination device identifier (DDI) 1916 that indicates thedevice that is to receive the data packet 1918. As shown, the sourceapplication 1912 generates a data packet 1918 that includes payload data1914 and a DDI 1916 that identifies the destination device 1922 as theintended recipient of the data packet 1918.

In some embodiments, the device generating the data packet 1918 maygenerate the data packet 1918 as an encrypted data packet. For example,the source application 1912 may generate an encrypted data packet 1918as part of an E2EE system, such that only the destination device 1922can read the payload data 1914. In other embodiments, the destinationdevice 1922 may generate one or more encrypted data packets, whichtunnel bridge 1930 transmits to the source application 1912. In someembodiments, the source application 1912 and the destination device 1922may implement encryption technique in accordance with Signal protocol orIntegrated Encryption Scheme (IES) protocol. It is noted that other E2EEencryption techniques are within the scope of the present invention.

When generating the encrypted data packet 1918 in accordance with anE2EE encryption technique, the source application 1912 may implement apublic/private key pair system. For example, the source application 1912can encrypt the data packet 1918 using a public key associated with thedestination device 1922. In such instances, the destination device 1922can decrypt the encrypted data packet 1918 upon receipt using thecorresponding private key associated with the destination device 1922.Similarly, the destination device 1922 can encrypt a data packet using apublic key associated with the source application 1912, where the sourceapplication 1912 decrypts the encrypted data packet using a private keyassociated with the source application 1912.

Payload data 1914 is a portion of data included in the data packet 1918.In some embodiments, the payload data 1914 may include real-time dataassociated with performance metrics of one or more machines included inthe network 1910 and/or the network 1920. In various embodiments, thepayload data 1914 may include a portion of data obtained by the sourceapplication 1912 as part of a query to the field-searchable data store.For example, the payload data 1914 may include one or more field valuesextracted from one or more fields that are present in raw machine dataincluded in one or more field-searchable events. Each field-searchableevent may include a portion of a set of raw machine data. In someembodiments, the set of raw machine data may reflect activities oroperations in an information technology environment and may be producedby one or more components of the information technology environment.

For example, the source application 1912 may implement the data intakeand query system 108 to extract one or more fields of data from thefield-searchable data store. In such instances, the source application1912 may retrieve the extracted fields as portions of a text string,such as: 2018-07-28 00:07:01,781 INFO [async_client] [async_client][async_post_request] [16574] POST headers={‘Authorization’: u′SplunkM4q2ROpGJCpng81Wi8JJsyV1yGIxrIhI_1UsIUxvVk3m_I12q6Q83Drf7P68v8H68kvQ7RHgA2eJz5oLSnw4dO0ywEsTodOD0jdWDNGhj9zFGNRuCiBWovEyXnO25X3_aNj SwyO_rE_ik7′, ‘Content-Type’:‘application/json’},uri=https://127.0.0.1:8089/servicesNS/nobody/spacebridge-app/storage/collections/data/alert_recipient_devices,params=None, data={“py/object”:“spacebridgeapp.data.alert_data.RecipientDevice”, “timestamp”: “1532736421.201776”, “alert_id”:“5b5bb3a580db6133e603d 33f”, “device_id”:“y+DJALQwOXERwVDBzUe34Oya1MINAIdOIPzRBdtt91U=”} host=ip-10-0-240-141source=/opt/splunk/var/log/splunk/spacebridge-app.log sourcetype=spacebridge-app-too_small.

In some embodiments, the source application 1912 and/or the destinationdevice 1922 may generate a series of data packets that include portionsof related payload data. For example, the source application 1912 mayseparate a large volume of data into multiple payloads 1914 and maypackage in multiple data packets 1918.

Destination device identifier (DDI) 1916 indicates the intendedrecipient of the data packet 1918. DDI 1916 is included in data packet1918, where the tunnel bridge 1930 or another component in the networkedcomputed environment 1900 uses the DDI 1916 to identify the recipient ofthe data packet 1918. In some embodiments, the DDI 1916 does notindicate the computer network or the network address of the intendedrecipient. In such instances, the tunnel bridge 1930 may retrieve theDDI 1916 from the data packet 1918 and use the DDI 1916 to identify theintended recipient and determine the corresponding address of the deviceassociated with the intended recipient.

In some embodiments, the DDI 1916 is a short, unique identifierassociated with a single device within the network 1910 or the network1920. For example, in some embodiments, the DDI 1916 may be a hash of alonger device identifier, such as a hardware ID. In another example, theDDI 1916 may be a portion of an advertiser device ID, such as aUniversal Device ID (UDID), Identifier for Advertisers (IDFA), AndroidID, or Advertising ID. In various embodiments, the DDI 1916 may be ahash of a public key associated with the device. For example, the sourceapplication 1912 may generate the DDI 1916 based on a hash of the publickey associated with the destination device 1922, and may encrypt thedata packet 1918 using the same public key.

Network 1920 is similar to the network 1910 and a communicationsnetwork, such as a local area network (LAN), wide area network (WAN),cellular network (e.g., LTE, HSPA, 3G, 4G, and/or any other networkbased on cellular technologies), and/or networks using any of wired,wireless, terrestrial microwave, or satellite links. In someembodiments, the network 1920 may be an AMAZON® web services (AWS)network that enables cloud-based services and stores data within thenetwork. In some embodiments, one or more of the destination device1922, the tunnel bridge 1930 and the database 1940 are included in thenetwork 1920.

Destination device 1922 is a device that receives data packets 1918 fromthe source application 1912 via the tunnel bridge 1930. In someembodiments, the destination device 1922 executes one or moreapplications that display, compute, or generate data based on datareceived from the source application 1912. For example, the destinationdevice 1922 may execute an augmented reality or virtual reality (AR/VR)application, such as extended reality application 1814, that displaysperformance metrics. In some embodiments, the destination device 1922may include, without limitation, smartphones, tablet computers, handheldcomputers, wearable devices, laptop computers, desktop computers,servers, portable media players, gaming devices, an Apple TV® devices,and so forth.

In some embodiments, the source application 1912 may send messages inaccordance with the push notification service 1854, such as the APPLE®Push Notification service (APN), or GOOGLE® Cloud Messaging (GCM). Forexample, the destination device 1922 may receive various schemas,dashboards, playbooks, runbooks, cards, and/or visualizations thatinclude real-time data associated with performance metrics of aparticular machine. The schemas, dashboards, cards, and/orvisualizations may then be overlaid with the real-world component by anAR/VR application.

Tunnel bridge 1930 is a device that establishes communications with oneor more devices included in the network 1910 and/or the network 1920.For example, tunnel bridge 1930 may establish a WebSocket connection tosource application 1912 that implements one or more portions of the dataintake and query system 108 in the network 1910 and a separate WebSocketconnection to the destination device 1922 in the network 1920. In someembodiments, the tunnel bridge 1930 may act as a trusted tunnel bridgeservice and may establish trust with one or more devices in order toestablish secure WebSocket connections with such devices. As will bediscussed in further detail, the tunnel bridge 1930 may performauthentication operations with other devices in order to establishtrust, and may then establish secure communications channels with theother devices, where the tunnel bridge 1930 and other devices andtransmit secure communications using the secure communications channels.

In some embodiments, the tunnel bridge 1930 may act as apublisher/subscriber buffer that may store messages received from adevice and then transmit the messages to one or more subscribers. Forexample, the tunnel bridge 1930 may store the data packet 1918, receivedfrom the source application 1912, in database 1940 before transmittingthe data packet 1918 to the destination device 1922. In someembodiments, the tunnel bridge 1930 may store the data packet whenestablishing the WebSocket connection 1954 with the destination device1922.

In some embodiments, the tunnel bridge 1930 enables E2EE communicationsbetween two separate devices by forwarding one or more encrypted datapackets 1918 without decrypting the encrypted data packets 1918. Forexample, the tunnel bridge 1930 may receive the encrypted data packet1918 that includes the DDI 1916. The tunnel bridge 1930 may retrieve theDDI 1916 without decrypting the data packet 1918 and, based onidentifying the destination device 1922 based on the DDI 1916, maytransmit the encrypted data packet 1918 to the destination device 1922via WebSocket connection 1954.

Database 1940 is a database that stores document data structures and oneor more keys. In some embodiments, the database 1940 may be in the samenetwork as tunnel bridge 1930. In some embodiments, database 1940 maystore data packets received by tunnel bridge 1930. Database 1940 may bea structure query language (SQL) database, or a NoSQL database, such asan AMAZON® DynamoDB. Database 1940 includes a key store 1942 that storesencryption keys, including single-use session keys and long-term keysassociated with devices that send E2EE communications. Database 1940also includes a routing table 1944 that includes address informationassociated with devices included in the network 1910 and the network1920. In some embodiments, the tunnel bridge 1930 may send queries tothe database 1940 in order to determine, based on the DDI 1916, theaddress of the intended recipient of a particular data packet 1918.

WebSocket connections 1952 and 1954 are full-duplex communicationschannels between tunnel bridge 1930 and devices within the network 1910and the network 1920, respectively. Tunnel bridge 1930 establishes theWebSocket connections 1952 and 1954 using WebSocket handshake techniqueswith a particular device. In some embodiments, the WebSocket connectionenables two-way communications between the tunnel bridge 1930 and adevice without opening a port in a firewall. For example, as shown, theWebSocket connection 1952 between the tunnel bridge 1930 and the sourceapplication 1912 provides a persistent, always-open, asynchronous socketfor bidirectional communications through a firewall of network 1910. Insome embodiments, the WebSocket connection can be a secure connectionthat facilitates encrypted communication. For example, the tunnel bridge1930 may establish a secure WebSocket connection 1954 to the destinationdevice 1922 in order to transmit encrypted data packets 1918 directly tothe destination device 1922.

FIG. 20 illustrates a more detailed view of the example networkedcomputer environment 2000, in accordance with example environments.Networked computing environment 2000 includes multiple tunnel bridgeinstances 2032(1)-2032(3) and a routing/forwarding table 2044.Routing/forwarding table 2044 includes multiple entries 2052-2058 formultiple devices that include source application 1912 and/or destinationdevices 1922, where each entry 2052-2058 includes information inmultiple fields. Routing/forwarding table 2044 includes fields for thedestination network 2042, the destination device address 2044, thedestination device identifier (DDI) 2046, and the interface 2048. Insome embodiments, routing/forwarding table 2044 includes other fields,such as a creation time, and expiration time (not shown).

Tunnel bridge instances 2032(1)-2032(3) are multiple instances of thetrusted tunnel bridge service executed by the tunnel bridge 1930. Insome embodiments, multiple tunnel bridge instances 2032(1)-2032(3) mayoperate in parallel and may each receive a copy of the same data packet1918. In such instances, the networked computer environment 2000 may bestateless, as at least one of the tunnel bridge instances 2032(3) mayoperate while one or more of the other tunnel bridge instances2032(1)-2032(2) are non-operational. In some embodiments, one or more ofthe tunnel bridge instances 2032(1)-2032(3) may store a copy of areceived data packet 1918 in the database 1940. One or more of thetunnel bridge instances 2032(1)-2032(3) may then retrieve the datapacket 1918 in order to transmit the data packet 1918 to intendedrecipient, identified as the destination device 1922.

Routing/forwarding table 2040 may be a table that includes address anddevice information for one or more devices in network 1910 and/ornetwork 1920. Routing/forwarding table 2040 operates as a routing tableby including addresses and other fields for particular networkdestinations. Routing/forwarding table 2040 also operates as aforwarding table for particular data packets by including preferredroutes for packet forwarding. In cases where the tunnel bridge 1930establishes a WebSocket connection, the preferred route for forwarding apacket to a particular device may be information associated with adirect connection with the particular device. In some embodiments, therouting/forwarding table 2040 includes one or more fields relating tothe address and/or device information for particular devices. Forexample, the routing/forwarding table 2040 may include information forthe destination network 2042, the destination device address 2044, thedestination device identifier (DDI) 2046, and the interface 2048.

Entries 2052-2058 are individual entries in the routing/forwarding table2040, each corresponding to a device within the network 1910, thenetwork 1920, or a different computer network (not shown). In someembodiments, the tunnel bridge 1930 may identify a device based on acorresponding entry 2052-2058 within the routing/forwarding table 2040and may send data packets 1918 to the identified device. For example,one or more of the tunnel bridge 1930 and/or the tunnel bridge instances2032(1)-2032(3) may search routing/forwarding table 2040 in order todetermine address information for an intended recipient of a data packet1918. The tunnel bridge 1930 and/or the tunnel bridge instances2032(1)-2032(3) may use the DDI 1916 of a received data packet 1918 as asearch key to locate a corresponding entry 2052-2058 in therouting/forwarding table 2040. Upon determining the address informationfor the intended recipient, the tunnel bridge 1930 and/or the tunnelbridge instances 2032(1)-2032(3) may establish a WebSocket connectionand directly transmit the data packet 1918 to the intended recipient.

4.2. Trusted Tunnel Bridge Service Techniques

FIG. 21 illustrates a call flow diagram showing interactions betweenvarious components of the example networked computing environment 1900,in accordance with example embodiments. One or more components of thenetwork computer environment 1900 may perform various operations 2100,including an authentication operation 2110, a WebSocket connectionoperation 2120, an initial data packet transmission operation 2130, anda subsequent data packet transmission operation 2140.

During the authentication operation 2110, the tunnel bridge 1930authenticates 2112 with the source application 1912 and separatelyauthenticates 2114 with the destination device 1922. After completion ofthe authentication operation 2110, the tunnel bridge 1930 operates as atrusted tunnel bridge service that the source application 1912 and thedestination device 1922, respectively, trusts when receiving datapackets 1918 from the tunnel bridge 1930. Similarly, the tunnel bridge1930 trusts the data packets 1918 received from the source application1912 and/or the destination device 1922, respectively.

During the WebSocket connection operation 2120, the tunnel bridge 1930establishes WebSocket connections 1952 and 1954 with one or more devicesin the networks 1910 and 1920 by conducting one or more WebSockethandshakes with a particular device and/or application. For example, asshown, the destination device 1922 may conduct a WebSocket handshakewith the tunnel bridge 1930. When conducting the WebSocket handshake,the destination device 1922 may initiate establishing a WebSocketconnection 1954 by sending a WebSocket connection request 2122 to thetunnel bridge 1930. In some embodiments, the request message 2122 mayindicate that the destination device 1922 is requesting a secureWebSocket connection. The tunnel bridge 1930 responds to the destinationdevice 1922 with a response message 2124 indicating that the WebSocketconnection 1954 is established between the destination device 1922 andthe tunnel bridge 1930.

In another example, the source application 1912 may conduct a WebSockethandshake with the tunnel device 1930. When conducting the WebSockethandshake, the source application 1912 may initiate establishing aWebSocket connection 1952 by sending a WebSocket connection request 2126to the tunnel bridge 1930. The tunnel bridge 1930 responds to the sourceapplication 1912 with a response message 2128 indicating that theWebSocket connection 1954 is established between the source application1912 and the tunnel bridge 1930.

In some embodiments, the tunnel bridge 1930 may execute a WebSocketconnection operation 2120 to establish the WebSocket connections 1952,1954 as part of the authentication operation 2110. In such instances,the trusted tunnel bridge 1930 can execute the WebSocket connectionoperation 2120 after completing authentication with the sourceapplication 1912 and/or the destination device 1922, respectively. Inother embodiments, the tunnel bridge 1930 may execute the WebSocketconnection operation 2120 in order to update an existing WebSocketconnection 1952 or 1954.

The initial data packet transmission operation 2130 may be performedbetween the source application 1912 and the destination device 1922 viathe tunnel bridge 1930. Although a call flow from the source application1912 to the destination device 1922 is illustrated, other call flows,including a call flow originating at the destination device 1922 andending at the source application 1912, are within the scope of theexample embodiments.

At 2131, the source application 1912 generates a data packet 1918. Insome embodiments, the source application 1912 generates the data packet1918 in response to a request from a user and/or a request received fromthe destination device 1922 (not shown). In some embodiments, the sourceapplication 1912 may generate (e.g., at regular intervals) one or moredata packets 1918 independent of receiving a data request from the userand/or the destination device 1922. In some embodiments, the sourceapplication 1912 generates an encrypted data packet 1918 that includespayload data 1914 and a DDI 1916 that identifies the destination device1922. When generating the encrypted data packet 1918, the sourceapplication 1912 may encrypt the data packet 1918 using a public keyassociated with the destination device 1922. In such instances, thedestination device 1922 may decrypt the data packet 1918 upon receptionusing the corresponding private key.

At 2132, the source application 1912 sends the data packet 1918 to thetunnel bridge 1930. In some embodiments, the source application 1912sends an initial encrypted data packet 1918 that includes the DDI 1916to the tunnel bridge 1930 via the WebSocket connection 1952. Uponreceiving the data packet 1918 from the source application 1912, thetunnel bridge 1930 determines the address 2044 of the destination device1922. As shown, the address 2044 of the destination device 1922corresponds to the IP address of the destination device 1922 within thenetwork 1920.

In some embodiments, the tunnel bridge 1930 determines the address ofthe destination device 1922 by sending a lookup request 2133 to thedatabase 1940. For example, the tunnel bridge 1940 can send a lookuprequest 2133 that to the database 1940, where the lookup request 2133includes the DDI 1916 included in the data packet 1918 received from thesource application 1912. When the tunnel bridge 1930 sends the lookuprequest 2133 including the DDI 1916, the tunnel bridge 1930 may use theDDI 1916 as a search key to search for a corresponding entry 1952-1958within the routing/forwarding table 2040 included in the database 1940.When an entry included in the routing/forwarding table 2040 includes theDDI 1916, the database 1940 sends the entry (referred to as thecorresponding table entry 2134) to the tunnel bridge 1930. In someembodiments, the database 1940 sends all the information included in thecorresponding table entry 2134, including the destination network 2042,the destination device address 2044, and the interface 2048 for thedestination device 1922.

At 2135, the tunnel bridge 1930 sends the data packet 1918 to thedestination device 1922 based on at least the address 2044 correspondingto the destination device 1922. In some embodiments, once thedestination device 1922 receives the encrypted data packet 1918 from thetunnel bridge 1930, the destination device 1922 at 2136 may decrypt thereceived encrypted data packet 1918. In some embodiments, thedestination device 1922 may use a private key associated with thedestination device 1922 to decrypt the encrypted data packet 1918.

In some embodiments, the tunnel bridge 1930 may check to determinewhether a WebSocket connection 1954 is established between the tunnelbridge 1930 and the destination device 1922. When the WebSocketconnection 1954 is not established, the tunnel bridge 1930 may perform aportion of the WebSocket connection operation 2120 in order to establishthe WebSocket connection 1954 between the tunnel bridge 1930 and thedestination device 1922 before sending the data packet 1918. In someembodiments, the tunnel bridge 1930 sends the encrypted data packet 1918received from the source application 1912 without decrypting theencrypted data packet 1918. In such instances, the source application1912 and the destination device 1922 may perform E2EE communications viathe tunnel bridge 1930 without the tunnel bridge 1930 decrypting thedata packet 1918 while en route.

The subsequent data packet transmission operation 2140 is performedbetween the source application 1912, the tunnel bridge 1930, and thedestination device 1922 after the initial data packet 1918 issuccessfully delivered to the destination device 1922. In someembodiments, the destination device 1922 may deliver a response message(not shown) to the source application 1912 via the tunnel bridge 1930acknowledging the successful receipt of the initial data packet 1918.When delivering subsequent data packets to the destination device 1922,the tunnel bridge 1930 may deliver the data packets to the destinationdevice 1922 via the WebSocket connection 1954 based on the DDI includedin each subsequent data packet without referring to therouting/forwarding table 2040 to determine the address 2044 of thedestination device 1922.

During the subsequent data packet transmission operation 2140, thesource application 1912 at 2141 sends additional data packets to thetunnel bridge 1930. In some embodiments, each of the additional datapackets includes the DDI of the destination device 1922. The tunnelbridge 1930 at 2142 sends the additional data packets to the destinationdevice 1922. In some embodiments, the tunnel bridge 1930 may refer tothe DDI of the additional data packet, and then based on the DDI, sendthe additional data packet to the destination device 1922 via theWebSocket connection 1954. Upon receiving the additional data packet,the destination device 1922 at 2143 decrypts the additional data packet.

In some embodiments, the destination device 1922 may send one or moremessages to source application 1912 via tunnel bridge 1930 and the oneor more WebSocket connections 1952 and 1954. In some embodiments, themessages sent by the destination device 1922 may be sent in response tothe one or more data packets sent by the source application 1912 viatransmission operations 2130 and 2140. In other embodiments, thedestination device 1922 may send messages to the source application 1912independent of any messages sent by the source application 1912. In someembodiments, the destination device 1922 may encrypt the message using apublic key associated with the source application 1912 and may includean identifier (e.g., a DDI 1916) associated with the computing resourceor device that is executing the source application 1912.

When sending a response message, the destination device 1922 at 2144sends a message to the tunnel bridge 1930. In some embodiments, thetunnel bridge 1930 may at 2145 forward the message to the sourceapplication 1912 without referring to the database 1940 to identify theDDI included in the message that identifies the computing resource ordevice that is executing the source application 1912. In otherembodiments, the tunnel bridge 1930 may first refer to therouting/forwarding table 2040 included in the database 1940 in order toidentify the address 2044 of the computing resource that executes thesource application 1912 before sending the message to the sourceapplication 1912.

In some embodiments, the source application 1912, the tunnel bridge1930, and/or the destination device 1922 may perform on or more portionsof the subsequent data packet transmission operation 2140 until theWebSocket connections 1952 and 1954 are no longer established. In suchinstances, the destination device 1922 and the source application 1912may send encrypted messages through the WebSocket connection 1952, 1954and the tunnel bridge 1930.

FIG. 22 illustrates another call flow diagram showing interactionsbetween various components of the example networked computingenvironment, in accordance with example embodiments. The one or morecomponents may execute authentication operation 2200 to establish trustbetween the one or more components. As shown, the components include thedestination device 1922, the tunnel bridge 1930, the source application1912, and a user 2260.

At 2201, the destination device 1922 initially sends a request for anauthentication key. In some embodiments, the authentication key may be asingle-use session key to be used during E2EE communications. In someembodiments, the destination device 1922 may request a long-termpublic/private key pair to be used for authentication. At 2203, thetunnel bridge 1930 sends an authentication key as a response to therequest at 2201. Upon receiving the authentication key at 2203, thedestination device 1922 signs a certificate using the authentication keyand, at 2205, sends the signed certificate to the tunnel bridge 1930.

In some embodiments, the user 2260 has access to the destination device1922 and has access to the authentication key 2203 received by thedestination device 1922. In such instances, the user 2260 at 2207 mayenter and send the same authentication key to the source application1912. In response, the source application 1912 at 2209 may send arequest for the self-signed certificate and download the self-signedcertificate from the tunnel bridge 1930.

At 2211, the user 2260 verifies the certificate information of theself-signed certificate. At 2213, the user 2260 enters credentialsassociated with the source application 1912. For example, the user 2260may enter credentials associated with the data intake and query system108. In response, at 2215, the source application 1912 associates, inthe key store 1942 of the database 1940, the public key associated withthe destination device 1922 with the user 2260.

At 2217, the source application 1912 uploads the encrypted credentialsto the tunnel bridge 1930. The tunnel bridge 1930 then at 2219 pushesthe received credentials to the destination device 1922. Upon receivingthe credentials from the tunnel bridge 1930, at 2221, the destinationdevice 1922 verifies and assigns the certificate information to thesource application 1912. As a result of the authentication technique2000, the destination device 1922 trusts messages sent from the sourceapplication 1912. Further, the source application 1912 trusts that thedestination device 1922 is authorized to receive data associated withthe user 2260.

FIG. 23 sets forth a flow diagram of method steps for sending anencrypted data packet to a destination device, in accordance withexample embodiments. Although the method steps are described inconjunction with FIGS. 1-22, persons of ordinary skill in the art willunderstand that any system configured to perform this method and/orother methods described herein, in any order, and in any combination notlogically contradicted, is within the scope of the present invention.

As shown, method 2300 optionally begins at step 2301, where the tunnelbridge 1930 completes authentication with the source application 1912,and the destination device 1922, respectively. During authentication,the tunnel bridge 1930 sends an authentication key to the destinationdevice 1922 and the destination device 1922 responds by sending a signedcertificate to the tunnel bridge 1930. The source application 1912 thendownloads the signed certificate from the tunnel bridge 1930.

At step 2303, the tunnel bridge 1930 establishes a WebSocket connectionwith the destination device 1922 by conducting a WebSocket handshake.When conducting the WebSocket handshake, the tunnel bridge 1930 receivesa WebSocket connection request from the destination device 1922. In someembodiments, the WebSocket connection request may request theestablishment of a secure WebSocket connection 1954. The tunnel bridge1930 responds to the WebSocket connection request by establishing aWebSocket connection 1954 between the destination device 1922 and thetunnel bridge 1930. In some embodiments, the tunnel bridge 1930 may alsoestablish a WebSocket connection 1954 with the source application 1912.In such instances, the tunnel bridge 1930 can establish the respectiveWebSocket connections 1952 and 1954 independently.

At step 2305, the tunnel bridge 1930 receives a data packet 1918 fromthe source application 1912. In some embodiments, the tunnel bridge 1930initially receives the data packet 1918 from the destination device1922. The tunnel bridge 1930 receives an initial data packet 1918 thatincludes an identifier (DDI) 1916 of the destination device 1922 that isto receive the initial data packet 1918. In some embodiments, theinitial data packet 1918 may be encrypted in a manner that allows thedestination device 1922 to decrypt the initial encrypted data packet1918 and retrieve the payload data 1914 included in the initialencrypted data packet 1918. For example, the source application 1912 mayuse a public key associated with the destination device 1922 to encryptthe initial data packet 1918. The tunnel bridge 1930 receives theinitial encrypted data packet 1918 from the source application 1912 viaa WebSocket connection between the tunnel bridge 1930 and the sourceapplication 1912. In some embodiments, the connection may be a WebSocketconnection 1952, such as a secure WebSocket connection.

At step 2307, the tunnel bridge 1930 determines the address of thedestination device 1922 associated with the DDI 1916 included in theencrypted data packet 1918. The tunnel bridge 1930 determines theaddress of the destination device 1922 by referring to arouting/forwarding table 2040 included in a database 1940. For example,the tunnel bridge 1930 may determine the address 2044 of the destinationdevice 1922 by sending to the database 1940 a lookup request thatincludes the DDI 1916 included in the encrypted initial data packet1918. In such instances, the tunnel bridge 1930 uses the DDI 1916 as asearch key to search for a corresponding entry 2052-2058 within therouting/forwarding table 2040. After a corresponding entry included inthe routing/forwarding table 2040 is identified, the tunnel bridge 1930receives the corresponding entry 2052 from the database 1940.

At step 2309, the tunnel bridge 1930 sends the data packet 1918 to thedestination device 1922. In some embodiments, the tunnel bridge 1930sends the encrypted data packet 1918 received from the sourceapplication 1912 without decrypting the encrypted data packet 1918. Insuch instances, the source application 1912 and the destination device1922 may perform E2EE communications via the tunnel bridge 1930 withoutthe tunnel bridge 1930 decryption the message while en route. In someembodiments, once the destination device 1922 receives the data packet1918 from the tunnel bridge 1930, the destination device 1922 maydecrypt the received data packet 1918. In some embodiments, thedestination device 1922 may use a private key associated with thedestination device 1922 to decrypt the encrypted data packet 1918.

In some embodiments, the tunnel bridge 1930 may receive additional datapackets from the source application 1912. Each of the additional datapackets received by the tunnel bridge 1930 includes the DDI 1916 of thedestination device 1922. Tunnel bridge 1930 sends each of the additionaldata packets to the destination device 1922 via the WebSocket connection1952. Once the tunnel bridge 1930 sends the additional data packet tothe destination device 1922, method 2300 may end.

Alternatively, at step 2311, the tunnel bridge 1930 may optionallyreceive a message from the destination device 1922. In some embodiments,the destination device 1922 may generate and send a different encrypteddata packet to the source application 1912 via the tunnel bridge 1930.In such instances, the data packet may be encrypted using a public keyassociated with the computing resource executing the source application1912. The encrypted data packet may include an identifier (e.g., a DDI)associated with the computing resource that is executing the sourceapplication 1912.

At step 2313, the tunnel bridge 1930 may optionally send the messagereceived in step 2311 to the source application 1912. In someembodiments, tunnel bridge 1930 may forward the message to the sourceapplication 1912 without referring to the database 1940 to using theidentifier included in the encrypted data packet. In other embodiments,the tunnel bridge 1930 may first refer to the routing/forwarding table2040 using the included identifier as a search key in order to identifythe address 2044 of the computing resource that is executing the sourceapplication 1912 before sending the message to the source application1912.

In some embodiments, the source application 1912, the tunnel bridge1930, and/or the destination device 1922 may send additional datapackets and/or response messages while the WebSocket connections 1952and 1954 are remain established. In such instances, the destinationdevice 1922 and the source application 1912 may send E2EE messagesthrough the WebSocket connection 1952 and 1954 and the tunnel bridge1930. Once the tunnel bridge 1930 completes the sending of the datapacket to the source application 1912 at step 2313, method 2300 may end.

In sum, a trusted tunnel bridge service establishes a WebSocketconnection with a destination device. The tunnel bridge receives one ormore encrypted data packets from a source application that is locatedwithin a computer network. The encrypted data packet includes payloaddata and an identifier associated with the destination device, which islocated in a different computer network. Upon receiving the encrypteddata packet, the tunnel bridge uses the identifier as a search key whenscanning entries of a routing/forwarding table for an entry thatincludes the identifier. The tunnel bridge uses the information from thecorresponding entry in the routing/forwarding table to identify theaddress of the destination device within the network and sends theencrypted data packet to the destination device via the WebSocketconnection.

At least one advantage of the disclosed techniques is that a device isable to receive data from an application in a different network withoutneeding an open port through a firewall within one of the networks. As aresult, the device is able to receive data relating to the performancemetrics of machines as computed by applications located in a differentnetwork. In addition, the system components located in differentnetworks are able to send E2EE communications because the trusted tunnelbridge service does not need to decrypt messages when determining theintended recipient of a message.

1. In some embodiments, a computer-implemented method comprisesreceiving, by a trusted tunnel bridge and from a first applicationexecuting in a first network, a first encrypted data packet, wherein thefirst encrypted data packet includes an encrypted portion of data, and adestination device identifier (DDI), determining, by the trusted tunnelbridge, a particular device in a second network and associated with theDDI included in the first encrypted data packet, and sending, by thetrusted tunnel bridge directly to the particular device, the firstencrypted data packet.

2. The computer-implemented method of clause 1, wherein the firstnetwork and the second network are different networks.

3. The computer-implemented method of clause 1 or 2, wherein the firstnetwork and the second network are different networks, and access to thesecond network by the particular device is limited by a firewallprotecting the first network.

4. The computer-implemented method of any of clauses 1-3, wherein theencrypted portion of data is encrypted at least partly using a publickey associated with the particular device.

5. The computer-implemented method of any of clauses 1-4, which furthercomprises receiving, by the trusted tunnel bridge, data from the firstapplication, wherein the data is generated by executing a query of afield-searchable data store via the first application.

6. The computer-implemented method of any of clauses 1-5, which furthercomprises receiving, by the trusted tunnel bridge, real-time data fromthe first application, wherein the real-time data is generated byexecuting a query on a field-searchable data store for accessing a setof events, each event in the set of events includes a portion of rawmachine data that reflects activity in an information technologyenvironment and that is produced by a component of that informationtechnology environment, each event in the set of events is associatedwith a timestamp extracted from the portion of the raw machine dataincluded in that event.

7. The computer-implemented method of any of clauses 1-6, which furthercomprises authenticating a first connection between the firstapplication and the trusted tunnel bridge, and authenticating a secondconnection between the first device and the trusted tunnel bridge.

8. The computer-implemented method of any of clauses 1-7, which furthercomprises receiving, by the trusted tunnel bridge from the first device,a request to establish a direct WebSocket connection between the firstdevice and the trusted tunnel bridge, and establishing the directWebSocket connection, wherein sending the first encrypted data packetcomprises sending the first encrypted data packet via the directWebSocket connection.

9. The computer-implemented method of any of clauses 1-8, wherein thetrusted tunnel bridge is in the second network.

10. The computer-implemented method of any of clauses 1-9, whereindetermining a first device in the second network comprises uponreceiving the first encrypted data packet, searching, by the trustedtunnel bridge, a routing table using the DDI as a search key, andidentifying, based on the searching, a first entry in the routing tablethat is associated with the DDI, wherein the first entry specifies thefirst device as corresponding to the DDI.

11. The computer-implemented method of any of clauses 1-10, wherein theDDI is generated from a public key associated with the first device.

12. The computer-implemented method of any of clauses 1-11, wherein thetrusted tunnel bridge comprises a first instance in a plurality ofinstances of a trusted tunnel bridge platform, wherein each instance inthe plurality of instances receives a copy of the first encrypted datapacket, and stores the copy of the first encrypted data packet.

13. The computer-implemented method of any of clauses 1-12, wherein theparticular device comprises a content streaming device executing a tvOSoperating system.

14. The computer-implemented method of any of clauses 1-13, wherein theparticular device comprises a mobile device executing an augmentedreality application.

15. The computer-implemented method of any of clauses 1-14, wherein theparticular device comprises a mobile device executing an applicationconfigured to deliver alerts based on data from the first application.

16. The computer-implemented method of any of clauses 1-15, wherein thefirst encrypted data packet is received from the first applicationexecuting in the first network, wherein the first application isoperating on a further device that includes at least a portion of a dataintake and query system.

17. In some embodiments, a non-transitory computer-readable storagemedium including instructions that, when executed by a processor, causethe processor to perform the steps of receiving, from a firstapplication executing in a first network, a first encrypted data packet,wherein the first encrypted data packet includes an encrypted portion ofdata, and a destination device identifier (DDI), determining aparticular device in a second network and associated with the DDIincluded in the first encrypted data packet, and sending, directly tothe particular device, the first encrypted data packet.

18. The non-transitory computer-readable storage medium of clause 17,wherein the encrypted portion of data is encrypted at least partly usinga public key associated with the particular device.

19. The non-transitory computer-readable storage medium of clause 17 or18, wherein the processor further performs the step of receiving, datafrom the first application, wherein the data is generated by executing aquery of a field-searchable data store via the first application.

20. The non-transitory computer-readable storage medium of any ofclauses 17-19, wherein the processor further performs the steps ofreceiving, from the first device, a request to establish a directWebSocket connection with the first device, and establishing the directWebSocket connection, wherein sending the first encrypted data packetcomprises sending the first encrypted data packet via the directWebSocket connection.

21. The non-transitory computer-readable storage medium of any ofclauses 17-20, wherein determining a first device in the second networkcomprises upon receiving the first encrypted data packet, searching, arouting table using the DDI as a search key; and identifying, based onthe searching, a first entry in the routing table that is associatedwith the DDI, wherein the first entry specifies the first device ascorresponding to the DDI.

22. The non-transitory computer-readable storage medium of any ofclauses 17-21, wherein the DDI is generated from a public key associatedwith the first device.

23. The non-transitory computer-readable storage medium of any ofclauses 17-22, wherein the application comprises a first instance in aplurality of instances of a trusted tunnel bridge platform, wherein eachinstance in the plurality of instances performs the steps of receiving acopy of the first encrypted data packet, and storing the copy of thefirst encrypted data packet.

24. In some embodiments, a computing device comprises a memory thatincludes an application, and a processor that is coupled to the memory,and when executing the application, performs receiving, from a firstapplication executing in a first network, a first encrypted data packet,wherein the first encrypted data packet includes an encrypted portion ofdata, and a destination device identifier (DDI), determining aparticular device in a second network and associated with the DDIincluded in the first encrypted data packet, and sending, directly tothe particular device, the first encrypted data packet.

25. The computing device of clause 24, wherein the particular devicecomprises a content streaming device executing a tvOS operating system.

26. The computing device of clause 24 or 25, wherein the particulardevice comprises a mobile device executing an augmented realityapplication.

27. The computing device of any of clauses 24-26, wherein the particulardevice comprises a mobile device executing an application configured todeliver alerts based on data from the first application.

28. The computing device of any of clauses 24-27, wherein the firstencrypted data packet is received from the first application executingin the first network, wherein the first application is operating on afurther device that includes at least a portion of a data intake andquery system.

29. The computing device of any of clauses 24-28, wherein the processorfurther performs authenticating a first connection between the firstapplication and the trusted tunnel bridge, and authenticating a secondconnection between the first device and the trusted tunnel bridge.

30. The computing device of any of clauses 24-29, wherein the processorfurther performs receiving, from the first device, a request toestablish a direct WebSocket connection between the first device and thetrusted tunnel bridge, and establishing the direct WebSocket connection,wherein sending the first encrypted data packet comprises sending thefirst encrypted data packet via the direct WebSocket connection.

The descriptions of the various embodiments have been presented forpurposes of illustration, but are not intended to be exhaustive orlimited to the embodiments disclosed. Many modifications and variationswill be apparent to those of ordinary skill in the art without departingfrom the scope and spirit of the described embodiments.

Aspects of the present embodiments may be embodied as a system, methodor computer program product. Accordingly, aspects of the presentdisclosure may take the form of an entirely hardware embodiment, anentirely software embodiment (including firmware, resident software,micro-code, etc.) or an embodiment combining software and hardwareaspects that may all generally be referred to herein as a “module” or“system.” In addition, any hardware and/or software technique, process,function, component, engine, module, or system described in the presentdisclosure may be implemented as a circuit or set of circuits.Furthermore, aspects of the present disclosure may take the form of acomputer program product embodied in one or more computer readablemedium(s) having computer readable program code embodied thereon.

Any and all combinations of any of the claim elements recited in any ofthe claims and/or any elements described in this application, in anyfashion, fall within the contemplated scope of the present invention andprotection.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

Aspects of the present disclosure are described above with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of thedisclosure. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine. The instructions, when executed via the processor ofthe computer or other programmable data processing apparatus, enable theimplementation of the functions/acts specified in the flowchart and/orblock diagram block or blocks. Such processors may be, withoutlimitation, general purpose processors, special-purpose processors,application-specific processors, or field-programmable gate arrays.

The flowchart and block diagrams in the figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present disclosure. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

While the preceding is directed to embodiments of the presentdisclosure, other and further embodiments of the disclosure may bedevised without departing from the basic scope thereof, and the scopethereof is determined by the claims that follow.

What is claimed is:
 1. A computer-implemented method comprising:establishing, by a trusted tunnel bridge, a first authenticatedcommunication channel with a first application executing in a firstnetwork; receiving, by the trusted tunnel bridge and from the firstapplication via the first authenticated communication channel, a firstdata packet, wherein the first data packet includes: an encryptedportion of data, and a non-encrypted destination device identifier(DDI); determining, by the trusted tunnel bridge, a first device in asecond network and associated with the DDI included in the first datapacket; establishing, by the trusted tunnel bridge, a secondauthenticated communication channel with the first device in the secondnetwork; and sending, by the trusted tunnel bridge directly to the firstdevice via the second authenticated communication channel, the firstdata packet.
 2. The computer-implemented method of claim 1, wherein thefirst network and the second network are different networks.
 3. Thecomputer-implemented method of claim 1, wherein the first network andthe second network are different networks, and access to the secondnetwork by the first device is limited by a firewall protecting thefirst network.
 4. The computer-implemented method of claim 1, whereinthe encrypted portion of data is encrypted at least partly using apublic key associated with the first device.
 5. The computer-implementedmethod of claim 1, further comprising receiving, by the trusted tunnelbridge, data from the first application, wherein the data is generatedby executing a query of a field-searchable data store via the firstapplication.
 6. The computer-implemented method of claim 1, furthercomprising receiving, by the trusted tunnel bridge, real-time data fromthe first application, wherein: the real-time data is generated byexecuting a query on a field-searchable data store for accessing a setof events, each event in the set of events includes a portion of rawmachine data that reflects activity in an information technologyenvironment and that is produced by a component of that informationtechnology environment, each event in the set of events is associatedwith a timestamp extracted from the portion of the raw machine dataincluded in that event.
 7. The computer-implemented method of claim 1,further comprising: authenticating, by the trusted tunnel bridge, afirst connection between the first application and the trusted tunnelbridge; and authenticating, by the trusted tunnel bridge, a secondconnection between the first device and the trusted tunnel bridge. 8.The computer-implemented method of claim 1, further comprising:receiving, by the trusted tunnel bridge from the first device, a requestto establish a direct WebSocket connection between the first device andthe trusted tunnel bridge; and establishing the direct WebSocketconnection, wherein sending the first encrypted data packet comprisessending the first encrypted data packet via the direct WebSocketconnection.
 9. The computer-implemented method of claim 1, wherein thetrusted tunnel bridge is in the second network.
 10. Thecomputer-implemented method of claim 1, wherein determining the firstdevice in the second network comprises: upon receiving the firstencrypted data packet, searching, by the trusted tunnel bridge, arouting table using the DDI as a search key; and identifying, based onthe searching, a first entry in the routing table that is associatedwith the DDI, wherein the first entry specifies the first device ascorresponding to the DDI.
 11. The computer-implemented method of claim1, wherein the DDI is generated from a public key associated with thefirst device.
 12. The computer-implemented method of claim 1, whereinthe trusted tunnel bridge comprises a first instance in a plurality ofinstances of a trusted tunnel bridge platform, wherein each instance inthe plurality of instances: receives a copy of the first encrypted datapacket; and stores the copy of the first encrypted data packet.
 13. Thecomputer-implemented method of claim 1, wherein the first devicecomprises a content streaming device executing a tvOS operating system.14. The computer-implemented method of claim 1, wherein the first devicecomprises a mobile device executing an augmented reality application.15. The computer-implemented method of claim 1, wherein the first devicecomprises a mobile device executing an application configured to deliveralerts based on data from the first application.
 16. Thecomputer-implemented method of claim 1, wherein the first encrypted datapacket is received from the first application executing in the firstnetwork, wherein the first application is operating on a further devicethat includes at least a portion of a data intake and query system. 17.A non-transitory computer-readable storage medium including instructionsthat, when executed by a processor, cause the processor to perform thesteps of: establishing, by a trusted tunnel bridge, a firstauthenticated communication channel with a first application executingin a first network; receiving, by the trusted tunnel bridge and from thefirst application via the first authenticated communication channel, afirst data packet, wherein the first data packet includes: an encryptedportion of data, and a non-encrypted destination device identifier(DDI); determining, by the trusted tunnel bridge, a first device in asecond network and associated with the DDI included in the first datapacket; establishing, by the trusted tunnel bridge, a secondauthenticated communication channel with the first device in the secondnetwork; and sending, by the trusted tunnel bridge directly to the firstdevice via the second authenticated communication channel, the firstdata packet.
 18. The non-transitory computer-readable storage medium ofclaim 17, wherein the encrypted portion of data is encrypted at leastpartly using a public key associated with the first device.
 19. Thenon-transitory computer-readable storage medium of claim 17, wherein theprocessor further performs the step of receiving, data from the firstapplication, wherein the data is generated by executing a query of afield-searchable data store via the first application.
 20. Thenon-transitory computer-readable storage medium of claim 17, wherein theprocessor further performs the steps of: receiving, from the firstdevice, a request to establish a direct WebSocket connection with thefirst device; and establishing the direct WebSocket connection, whereinsending the first encrypted data packet comprises sending the firstencrypted data packet via the direct WebSocket connection.
 21. Thenon-transitory computer-readable storage medium of claim 17, whereindetermining the first device in the second network comprises: uponreceiving the first encrypted data packet, searching, a routing tableusing the DDI as a search key; and identifying, based on the searching,a first entry in the routing table that is associated with the DDI,wherein the first entry specifies the first device as corresponding tothe DDI.
 22. The non-transitory computer-readable storage medium ofclaim 17, wherein the DDI is generated from a public key associated withthe first device.
 23. The non-transitory computer-readable storagemedium of claim 17, wherein the application comprises a first instancein a plurality of instances of a trusted tunnel bridge platform, whereineach instance in the plurality of instances performs the steps of:receiving a copy of the first encrypted data packet; and storing thecopy of the first encrypted data packet.
 24. A computing device,comprising: a memory that includes an application; and a processor thatis coupled to the memory, and when executing the application, performs:establishing, by a trusted tunnel bridge, a first authenticatedcommunication channel with a first application executing in a firstnetwork; receiving, by the trusted tunnel bridge and from the firstapplication via the first authenticated communication channel, a firstdata packet, wherein the first data packet includes: an encryptedportion of data, and a non-encrypted destination device identifier(DDI); determining, by the trusted tunnel bridge, a first device in asecond network and associated with the DDI included in the first datapacket; establishing, by the trusted tunnel bridge, a secondauthenticated communication channel with the first device in the secondnetwork; and sending, by the trusted tunnel bridge directly to the firstdevice via the second authenticated communication channel, the firstdata packet.
 25. The computing device of claim 24, wherein the firstdevice comprises a content streaming device executing a tvOS operatingsystem.
 26. The computing device of claim 24, wherein the first devicecomprises a mobile device executing an augmented reality application.27. The computing device of claim 24, wherein the first device comprisesa mobile device executing an application configured to deliver alertsbased on data from the first application.
 28. The computing device ofclaim 24, wherein the first encrypted data packet is received from thefirst application executing in the first network, wherein the firstapplication is operating on a further device that includes at least aportion of a data intake and query system.
 29. The computing device ofclaim 24, wherein the processor further performs: authenticating, by thetrusted tunnel bridge, a first connection between the first applicationand the trusted tunnel bridge; and authenticating, by the trusted tunnelbridge, a second connection between the first device and the trustedtunnel bridge.
 30. The computing device of claim 24, wherein theprocessor further performs: receiving, from the first device, a requestto establish a direct WebSocket connection between the first device andthe trusted tunnel bridge; and establishing the direct WebSocketconnection, wherein sending the first encrypted data packet comprisessending the first encrypted data packet via the direct WebSocketconnection.